BSides DC 2016 - How to Join the Infosec Community

the b-sides DC 2016 videos are brought to you by clear jobs net and cybersex jobs.com tools for your next career move and antietam technologies focusing on advanced cyber detection analysis and mitigation hi everybody welcome thank you very much for coming to my talk appreciate it the next hour of your life is going to be so entertaining and so fun you are not going to believe you're in DC about how to join the information security community and for those of you that didn't know it it's 2016 it is we have amazing things in 2016 we've got hoverboards well yeah they catch fire and they have wheels but they are hoverboards right right we have self-driving cars which is pretty cool

we even have let's say that you're making dinner okay and you and you have a great that falls on the floor and it breaks open we have robots that can stitch grapes together because somewhere in the world that's a need well I mean these things are out there and it's an amazing amazing world we live in and it's kind of cool because I'm at work I'm kind of a senior person okay I've grown up through all of the old things that have happened and and now there's all these new things in this world and constantly people come to me and they say hey you know what your senior person would you be my mentor would you teach

me how to get into the information security community would you teach me how they be where you are on that side of the desk and ultimately the conversation moves into how do i InfoSec what do i do to do information security things not just at work but in other places and so I have to introduce to my mentees the concept of information security industry versus information security community there is a difference and for those of you that have been in the industry for a while you'll recognize it this is the professional you know you're going to work you're talking with customers you're talking with clients you're solving solutions versus the community we well is you people that go to

conferences sit down and pick locks do other things they're distinct but there's a lot of overlap and I wish I made a Venn diagram that shows the overlap some people like I used to do stay in the information security and like I used to do and stay in the information security industry and don't dip their toe into the community they don't come over here and see all the cool things that we're doing now that's an absolutely fine thing to do because some people need that they feel secure just being in the community being in the industry or likewise some people love being in the community without necessarily getting into the industry section but nowadays we have an issue we

have at least in the DC area here we've got more jobs in InfoSec then we have people to fill them so we have this huge demand for people to come and do the work for either our customers or for our companies and that's a great position to be in as a in person already in InfoSec I I love having that all these companies want me to come work for them that's really cool if you're somebody that actually is looking to get into InfoSec then this talk is for you this is a talk to help you join your InfoSec industry life and you're in for a life isn't necessarily that strong for you right now I'll give you some some tips some

points but if you are one of the people that's trying to hire one of these people trying to get them to come to your company I would almost guess that you've tried all the traditional ways of hey we'll post something on our website and we'll just wait for resumes to come in in I'm kind of guessing that that's not working as well in this market as it might have been five 10 15 years ago and that's because it's a buyers market as far as jobs we've the people with the skills can shop around and get new jobs in a day in a week it's really easy so one of the things that I find is that if

we have people that want smart InfoSec community people and we have people that want to join the intersect community then this is the prime place for each of those different groups to meet and you have vendors out here people that are looking to hire people just like you and me and it's a great place it's a great feeling to be in when I find is that if you marry the industry with the community it's like taking chocolate and peanut butter and putting them together - I'm just type of hypothesizing I'm thinking this might work putting chocolate and peanut butter together it might be a good thing and that's what we're doing here because the community augments the

industry and the industry augments the community we'll see how that works but right now I want to show you my 14 tips to enhance your community life or if you're looking to hire people in the community to get into their lifestyle meet them where they are so that you can hire them and ultimately retain them the first thing is really that double-edged sword that catch-22 it's like I'm gonna tell you to get experienced well that's great Micah the reason why I'm here is that I don't have experience and I want to break in the industry cool I get it information security is a really really wide wide field and it can get quite deep as well what do you do what do you

start how do you start the way that I like to tell people to start is you start with general experiences right let's say that you're a person that's and that's an audio file you really like like sound systems and your home entertainment system is really like smoking at home cool you have some skills there your your home system might have Wi-Fi on it it might do some things interesting with sound you can parlay that you can mix that up with some computer things whether you're using a Raspberry Pi to power that or something else or what if you are playing with raspberry pies or your heard of one and you you want to play around with it in

information security we do is we take those basic skills I'm kissing that some of you might have parents or relatives that you are the primary helpdesk person right when they click an email that they shouldn't have yeah yeah I don't know why my screen has this face on it but it says I need to pay some bitcoins to get back in yeah you are the primary people and that help desk work that regular system administrator work that's your foundation what I think is that people that have that foundation of normal everyday InfoSec skills can pile on the InfoSec to the top of it can can learn the information security stuff that leverages those foundational skills so

when when people says go out and learn things go out and do things yeah you can get a certification but play with your computers try out other types of architectures or devices mobile things because that foundation is going to help you be more effective when you get into other types of the InfoSec industry and for those of you in the InfoSec already you understand that there's actually once you get into InfoSec because that's a lot of people's jobs everyone I want to get into InfoSec and you get in there and then people start talking about reverse engineering and IDS's and policy in and and you realize that there's this other inverted pyramid on top and

InfoSec is really quite broad and that's okay because there's time for you to become a specialist there's time for you to take and keep building upon your information security knowledge to grow and and ultimately give back now when I started in this industry I started back with ye oldie tiny stuff yeah pong tardy yeah those were my basic skills I started playing on an Apple 2e and writing some interesting programs for it and then I graduated up to NT 4 o ne & T 4 o MC SES out there yeah right yeah that's what I started doing playing with Windows systems and and I got a job doing system administrator work and it was cool I was learning how these

systems worked properly once I did that sufficient I actually started playing with Solaris as well my boss said hey Michael you understand this Windows system administration stuff cool how about you come and do this UNIX stuff because it's very very similar it's just totally different sounds like okay I guess I can and you know so what do you do when you don't know what to do you google it or back then you AOL it yeah so so I asked geez thank you sir yes from the past so so you know you go on there and you and there's lots of people that can help you out I found a nice person that had posted you know if

you're a new person that that needs help testing your your UNIX system as the root user type in RM minus RF splash front it was the best way that I learned how to rebuild that server after it started removing all the files on it but yeah so there's things out there this is my experience this is my foundation and I'll bet each and every one of you has some of that stuff and you know what if there's things that you don't know if you go out and learn and that's my tip number two learn things take control over your self learning and I say self learning some of us we learn better by by standing in it and by it by being in

a room where an instructor is leading us absolutely cool some of you have the self-discipline to do an on demand type of a course or watch a youtube video and learn stuff from it cool wherever you're at there are resources out there that can help you whether it's you guys have heard of YouTube yeah it's a new site um yeah YouTube you go on there and you type how do I you get a lot of interesting responses back there's some of that as InfoSec stuff and you can do anything from how do I attack this system or leverage PowerShell in this or some of the primal sex stuff do you guys have videos out there yeah on YouTube

right Python learning in and other things it's a valuable resource if you're the type of person that can learn stuff from videos I'm a type of person where I need it spelled out for me too so wiki's and blogs there are people that will find anybody see the the fruity armor APTA attack or the dine dns attack just this past week there are already blog post out there detailed blog posts by Krebs and other people that have outlined exactly how this thing goes and how these things went on then it breaks it down for us so learn capture the flags are a wonderful time to learn too because they're you're doing hands-on stuff not just a reading

about something not just getting a video about something but actually doing hands-on this morning I did some of the I mean I watched as my kids did some of the Crypt kids CTF and it was really cool just to get back into like ciphers and all just to do something and have a goal to achieve I mentioned that the one of the ways that I like to learn was doing instructor-led training and so in back in the early 2000s I took a class from the SANS Institute and it was so empowering I went there I learned I took that stuff back to my work and I said hey let me show you how our systems

are insecure and I did it my boss's eyes got open and and he said this is this is great we need you to to be an InfoSec person all the time I was like cool so I kind of parlayed it into an InfoSec career like yeah I'm an information security professional now this is awesome I got cards with that on there I felt really good and you know the best part about information security professionals is this well if you google it and you go to Google Images you get this guy now any of you InfoSec professionals out there actually do this on a daily basis it probably deals with cyber's or something or I don't know Holograms

maybe we just haven't gotten there yet I don't know um so yeah and you know being in the industry cuz I was doing this all all for work and and you know I went to Stan's through work and I did all these other things through work I got my cissp because you know that taught me more about the industry I was really happy camper I was feeling good about myself I was learning things and so my boss came up to me said hey you know what you're getting pretty good at this how about if you go out to blackhat you know that this big like info stack community on InfoSec training out in Las Vegas it's

like you guys I mean to Vegas for a week for free really yeah yeah I'll go oh and I have to go to talk school so I went there and that's me at Caesar's Palace yeah um so I went there and and I learned in these talks were wonderful I actually found out in the talks this was my first information security conference and I've never been to one before and I found out I had some skills I really did and it made me feel good because I found out that there were vendors out there that will give you stuff all you have to do is scan your badge they will give you free stuff I've got so much stuff I had

to buy another suitcase to get it all home well worth it though well worth it I still get emails from that but um when I was in in 2006 I was out there and my boss said you know what Mike since you're already out there we heard about this other conference it's kind of exactly like black hat it's DEFCON it's just exactly exactly the same but totally different so do you want to go it's like peahats only 100 bucks I'll go and so I went there and I met hackers yeah yeah yeah hackers were scary people at that time these are people with with with ski masks on type in with gloves that is uber have you ever tried to type

with gloves on this guy's got some skills right yeah but the this was like mixing information security professional with this this weird class of people that I'd never ever met of I just I never met but I'd always heard about them and so what I did was I went to Def Con and I stayed as far back from all of the things they have this cool cooler contest were to see how fast you could cool down beverages that's really cool I'm not doing anything with them just staying back did this wall where they had intercepted all of people's clear text communications all the Wi-Fi and they'd taken out usernames and password and they put this on the wall of sheep

it's like wow that's weak oh my god is my Wi-Fi on so I observed from a distance because I was not yet ready to engage with the community with those people and that's cool that's where I was at at that time and I stayed in that place for many many years until one day a good buddy of mine actually PW crack Bob Weiss here who runs besides DC he kept hammering on me he's like hey you know what you got to come to Virginia I live in Maryland it's like you got to come to Virginia with me there's a bunch of people and Nova hackers of the king he said don't come they're normal people

they just like information security it's like all right so I went and that's my tip number three join a group like I said I joined Nova hackers but since then I found there's unallocated space up in Baltimore there's other groups out there go to these groups it says hackers in it or unallocated I have no idea what that means it's like a memory corruption thing but these are places with people just like you and me in fact a lot of the volunteers and a lot of people in the audience probably have been to one of these groups at one point in their lives or maybe they're regular members or maybe they run them these groups are great because they meet

on a regular basis in communities like yours and mine and they talk about information security they talk about the things that we're interested in and they help raise your awareness you can talk to the people that just gave a talk in fact these are groups that are a self-run so participation is a must each person in the organization stands up and gives a 15 minute talk about something if you don't want to join these groups that's cool there's is essay chapters out there there's even a wasp chapters the open web application security project all around the world don't like that there's meetups do information security if you go to meetups and you want to look for a

group InfoSec had very few hits on it but there are these groups that are out there all over the world that have opportunities for you to connect with other people just like you and you know what it does when you're going to look for that next job or when you need help with that Python script where you want to get into ham radio but you have no idea what you're doing these are the people that are going to help you these are the people that are going to connect you with the resources or just teach you now I mentioned that these groups are groups where the members many times will present to to the other members and what that creates

a big barrier for people in fact if you go to the Nova hackers comm website you'll see that you know there's a fight night type of mentality where your first time there you have to present it's not that way actually and what people generally tell me is that you know hey I go to these things but you know what everybody knows exactly what I know everybody knows the things that that I would present on so I really don't have anything I can present on that's not the case within the industry there's something called impostor syndrome impostor syndrome is where you feel inadequate about your skills and abilities because everybody else is doing things that you aren't

that you are not doing and and they're doing uber ly things that you're not and so you feel like your skills your connections what you're doing it can't compete with that I had a very bad case of impostor syndrome when I came back from Derby con one year about four years ago I came back I saw people doing Oh days and and PowerShell stuffing and really cool things and I got back and I was like you know what I'm not doing any of that stuff what the heck what good am i doing in in in the industry and I actually started looking for jobs outside of InfoSec I didn't find any that paid that well or or anything so I stayed in the

industry but this is something that that's very pervasive especially for people just looking to break in but here's the thing Bill Nye puts it puts it very succinctly that everyone you had you mean know something that you don't it's just a matter of whether that can come out you might meet somebody that's really good at like kernel rootkit development or just understanding kernel stuff you might need people that understand how to program or how to programming languages that have not even been invented yet or you might need people that do what this guy is doing because I don't even know what part of infrastructure thing but it looks awesome that gives with miniaturisation keys it's just a

password right I think that's under the keyboard yeah it says password but yeah so you know something that somebody else doesn't know you just have to figure out what it is I talked I did a similar talk to this at besides charm earlier this year and I brought up that one of our members in Nova hackers one day gave a talk about how to brew the best cup of coffee well that's not related to InfoSec but if you think about it what do we run on caffeine right so this was very very well well written well well-received talk so you know stuff how do you know when you're gonna get where you're going you gotta set goals because as Yogi

Berra says if you don't set goals and you don't know where you're going how do you know when you're gonna get there this is an important piece of our of our lives you might not be a person that's it's a year five year ten year plan that's cool I'm not either but I can tell you this you can set short-term goals I'm going to achieve this certification by this date I'm going to learn Python and create my first script on that date and hold yourself accountable to those dates put them in your your whatever you use to to keep track of dates and times make it a firm appointment with yourself to to go ahead and and achieve that goal

and then when you achieve it set another goal or set more goals because you know what when you do this you'll be able to track your progress you'll be able to see that you have learned new things you have developed over time which is a lot of things that we don't look for when we are trying to get through the information security industry we're always looking ahead we're looking at the new skill we want to learn we're looking at that new technique that new opportunity you don't see the stuff that you've already tackled you don't see the stuff that you already know that junior people are looking up and going holy cow I have to learn what tcp/ip means I can

barely spell it ipv6 forget about it but you know it it's core to you and you've already moved on so um make sure that you makes make time for yourself to achieve your goals next thing is open source projects open source projects are really important I feel because it's your chance to give back to the community it's also another place to engage with community these are projects that people are making and publishing the code online there's lots of opportunities when I was a UNIX system administrator I could write bash scripts really well but I found as I got older that bash wasn't a great programming language and there were these other things like Python and Ruby

and Perl okay maybe not Perl but there's Python and Ruby and sorry if you like Perl well never me um so I decided to learn Python and and I could participate it with a project called recon and gene it was really good because what I found is that I could do all of the tutorials online I could listen to all of the primal SEC podcast and do all of their trainings and stuff like that and that was great but if I actually sat down at a keyboard and tried to type out some Python try to make a script I was ineffective I could not do it and to goal and so recon ng allowed me to

mix web application stuff which I under already knew along with Python and marrying that chocolate and peanut butter together allowed me to have a reason to Python now one of the things I hear is that from people as well I'm not a programmer I don't know how to code things so I can't participate in the open-source community and I say that's wrong because there are projects out there that if you know how to use notepad or text pad or sublime or whatever it is G edit you can participate here's just three of them that came up off the top of my head I have a project on my will on my github where I have published just extent

essentially a text document and that text document is interview questions if you're looking to interview text on technical people so there's just questions there's no programming it's just documents on the fuzz dB the fuzz database all that is is lists of words special words organized maybe there's a list of user names a list of passwords a list of files on a certain server if you can type in file names or user names you can contribute and then there's a Justin or Dean's OSINT framework this is just essentially like bookmarks they're URLs that you copy you pasted in there and they're done it's pretty easy and anybody can do it if they want to Mike is step number

six is attend and participate that's the important part at conferences you've already satisfied probably both of these here this here today maybe yesterday right how many of you did another activity aside from just attending the the talks how many of you pick locks or how many of you did a wireless CTF or the Crypt kids thing or or yeah you're already doing this stuff and there are lots of opportunities for you within this DC Maryland Virginia area to attend conferences these these conferences like this the b-sides they're great for meeting people in your community for talking with people for making those connections and for learning your new skills besides DC this weekend besides Nova is the first-ever

Northern Virginia conference the call for papers is out there and they're going to be doing some amazing things in Reston Virginia Herndon Virginia coming up in February and besides charm in April all of them great conferences for connecting with people and I already mentioned that at these conferences they'll have the open organization of lock Pickers tool or some other people there doing a lockpick village if you've never picked the lock as some of you probably haven't ever done go in that room over there sit down on the table pick up a turning tool and a pick and start out with the basic one lock it's amazing that feeling I saw some people today they were like oh I just

picked the lock like yeah didn't get arrested here it's awesome right yeah but try things participate when I was over there or sitting at the table and the people around they're like hey this is just like you know where I'll have our turning tools in our lock picks like this is just like a clambake you know where you're just sitting around socializing and every now and then somebody's like oh don't eat the locks but yeah I mean it's a social time to be together with other people and learn from other people teach other people if you're a lock picker sit down and show somebody that doesn't have the skills or doesn't have them yet there's also the

CTF over there that's going on um my first CTF was at Derby con several years ago and several of the guys that I did it with are here in the audience I had gone to Derby con you know with that that telescope going hey that's kind of neat they're doing like wireless hacking in that room that's neat I could probably do that yeah but I'm not gonna put mine now my computer on that network it's probably a hostile network you know hackers um but then the next year I was like no if I format the hard drive putting you know some some simple system in there if it gets compromised I can just throw away

the hard drive or reformat it whatever I could participate in this and so I did that and we got a team together and we did that we did the CTF and I said I'm just gonna sit down it's 12 o'clock on Friday I'm just gonna go and tell I'm bored that's all we didn't stop until 12 o'clock on Sunday we hacked the whole time and each day was neat because I would call us like hey I got this I have no idea what it's like and Luke or Andrew would be like oh I know how to do that can you help me with this and we would share information and we would learn from each

other it was a great experience we took third place that year one of the other things that you can do is talk to the speakers like myself like Andrew like other people that are talking we're here to help you learn and understand things and if you want to connect with us where you don't talk right now to me but talk later on to me but but talk to us come up and talk to share your experiences help us make our talks better tell us how we connected with you because this is an important part of the dialogue of the information security community again talking to people and making connections next thing you can do is make a blog now many people tell me

oh I've got nothing to post I I don't know what I write about carnal ownage Chris gates he's one of the founders of Nova hackers great guy um he said you know what I don't blog for other people I blog because it's kind of a public way of me keeping notes because you're touching a lot of different systems or you're doing a lot of different stuff and invariably in eight months or 12 months or two years later you know Dan Timmy I already do this once you can just go back to your blog and pick it up and you're blocking help other people as well so what I did when I came back from that CTF that I did at Derby con I made

a blog post and I heard one a person commented on that and today I listen I'm gonna go ahead and I'm gonna do a CTF as well I thought that's great you know it helps one other person and it helps me to keep track of my my adventures there's other blogs that are out there that can be helpful if you want to create your own blog do it or your own podcast do it but there's some of that out that are out there that are really really good for instance Leslie Carr heart hacks for pancakes is her Twitter handle she has an awesome blog and you know what her blog she has seven chapters of

how to break into information security what I'm talking about today lots of people are talking about it she has an amazing well organized and well written blog that you can use I put a little short URL at the bottom it's not gonna rickroll you were downloading malware or will it next thing I want you to do is go and volunteer give of your time why you meet people how many of you have volunteered at a conference before nice thank you all I appreciate your service there's opportunities to do it besides DC they were still looking for people up until you know a couple days ago you want to volunteer at besides Nova coming up in in February there's

opportunities available you can just go in and check in people you can help speakers you can run some some type of some of the the events that are going on there there's lots of opportunities to pitch in go ahead and do it next thing I asked for and take feedback anybody heard of this that most people listen with the intent most people do not listen with the intent to understand but the intent to reply how many times you've been sitting there and maybe you're talking to your spouse or your kid and they're like blah and you're thinking your head okay I'm going to go ahead and I'm going to share this life lesson with my child or or my why I'm

gonna tell her this you're not hearing the other stuff that she's saying or he's saying you're hearing what you want to trigger your response without taking in the entire conversation if we open ourselves up to actually hear what other people are saying it can be very powerful I'll give you an uncomfortable situation when this happened I was presenting a talk at besides Boston great conference had a great time up there and my talk was called running away from security the talk was essentially about finding people online and tracing them back to their homes or they're on virtually tracing not actually appearing at somebody's house and that would be awkward hello I'm Micah I found you online so

but tracing them back and I had three examples that I used in that talk guess what they were all women they just work I mean they that's okay I mean as far as i concerned but a lady raised her hand at the end of my talk she said um mr. Hoffman what do you have against women I'm anything against women I love women my wife's a women I like it so she said all three year examples were about women why didn't you use one about man like well I I just didn't but I thought about I was like well why couldn't I so I took her feedback which was not necessarily used in the best manner I found out

later she had a feminist blog and she was just using she was doing this to everybody at the conference but that's okay her point was that my examples were biased so I went home and my daughter and I sat down and we figured out a way to take the three examples and find a one with a man in it and you know what my talk got better because that man that we used for an example was actually a better example than the woman that I was using so I listened to what she was saying and I actually learned a lot and and my talk up better next thing as you start to learn stuff share it even if

you don't think that you know a lot you may surprise yourself and here's the thing you could take the things that you learned here at this conference whether it is Andrews talk or somebody else's talk or my talk back to your organization whatever it is back to your college back to your high school and say I learned how hospitals are vulnerable to things or I learned this really cool thing about Python or PowerShell or whatever talk to me do it over lunch however if you live in a state where you can have lockpicks break out your lockpick set and show them how to break locks it's cool I went to Home Depot one day and

bought a hundred dollars worth of locks just grabbing deadbolts off of the shelves and and padlocks and I have my arms full stuff and Home Depot employee came over he's like can I help you sir like no I got a lock-picking thing tonight I'm fine so but yeah we just took him on we took him back to the office we broke them up and we just started picking them and it's amazing if you're new to lock-picking it's really easy to pick some of the lower quality locks out there and people were we're enjoying it so share your information go to the Career Day at your children's schools don't don't just show up at the school

and leahey I'm gonna want to talk to you about information security schools frown upon adult males like just arriving there at the doors unannounced come but mentor kids mentor other people junior people that may not know as much as you there's a person in my organization really smart guy really smart and and he's in one area of information security that I know very little about and one day he came to me it's like hey I'd like to mentor with you Mike cool all right he said I know nothing about networking like what do you mean you nothing about networking he's like I don't know what TCP I'd meet Pia means I don't know what a port is or protocol it's like you're

like an expert over here in this how do you not know about that but he didn't because he specialized he didn't get that foundation of knowledge he specialized and that's absolutely cool he's an awesome rockstar and I helped him learn some things that I thought were basic and that he already knew but we shared knowledge we shared information now if you so choose you can go the professional route and start sharing I decided to become a sans instructor and teach people how to web hack and share my knowledge that way and it was great I love meeting students I love talking with them and sharing knowledge and you could do classes as well Liam Randall over here he does his

broke classes that are just amazing and other people as well you could teach at besides conferences it's pretty cool stuff one of the things I already alluded to was track your progress now tracking your progress could be just putting a star on a calendar it could be marking off that you achieve certain goals it could be any one of a number of things let me make it simple for you though I have one of these things hanging on the wall in my office and you might not be able to see it this is a runner plaque essentially you you buy this thing from like running on the or some other site is on Amazon and

there's just little hooks coming out on it and it says at the top success is and how far you got but the distance you've traveled from where you started when people come into my office junior people they're like how do i how do I get into InfoSec how do I do what you're doing I can point to this because this has every badge and when I go back to my office this badge will go on there to every badge for every conference I've ever been to is on that wall every training I've been to is on that wall and I can say I've put in my time I've put in effort I participated that's how you

start and you know what you could buy one of these and you put today's badge well the one that you're wearing I put it right on there and then next year and the year after and soon you'll be able to see damn I've been to a lot of conferences and maybe your badges start changing colors because you start becoming speakers or you start being volunteers that tracks your progress too next we're gonna talk about joining Twitter now this is pretty sensitive to people that some of the people in the audience that may work in a sensitive area in DC or Maryland or Virginia where you're not necessarily allowed to have social media accounts cool I get it

but I'll tell you this Twitter is a wonderful place for you to connect with people it's bi-directional I don't know if some of you look old enough that you might remember BBS's remember used to dial-up yeah yeah there are people that said let me take off let me put on my old guy hat back when I was a kid we we had mold UM's and we liked it no we used to dial into system I'm sorry I was slightly Bernie Sanders too sorry um but we dialed into these places and and and we would connect with other people but there were some people that wouldn't upload files they were they were just lurkers they would just sit

there and watch or maybe they would download files without participating on Twitter that's absolutely cool you create a Twitter account you make it so nobody can follow you but you follow other people and you get to learn about stuff if you don't know who to follow here are three quick things that you can do follow hashtag InfoSec follow besides DC and follow me and you find through what I retweet or what I tweet other people that have similar ideas to what you want other things that you want to get into the other neat thing is if you wanted to contact me right now you probably don't have my email address many of you do but

you might not have my email address but you get on Twitter you can send me a direct message it's like having my home phone number and you can do that for anybody that has a Twitter account that allows that type of access you want to talk to Adam Savage the mythbuster BAM you can DM and Brian Krabs man you can you can send them a tweet and put his name in there or whatever but you can communicate with people you're having a problem running recon ng you send something to Landmaster 53 Tim chums will pick that up and go let me see if I can help you or Rafi over here if you've been over here to the Kobol strike booth

really responsive people Twitter is the way to do it the fruity armored apt attack the the dirty cow stuff that's coming out the dime DNS stuff all that stuff was on Twitter way before it hit sent on mainstream media so you get things faster this way to my next int my next tip is to surround yourself with people smarter than you many of you are in organizations where you are the only InfoSec person so you can't do this right but maybe you've joined Nova hackers maybe you've done some of these online classes maybe you're on Twitter and you start surrounding yourself with the Twitter universe with the the other tweeps twitter peeps and you start using

those people as your organization because you know what if you're a big fish in a small pond you probably feel pretty good about yourself that's great yeah you guys know about this this nine year old rugby player in Australia dude is crushing it he's huge and very strong and he's just like flinging kids it's like what the Hulk did in the Marvel Comics you know and all those moves like just kids are flying in this you'll notice that every other kid on the opposing team has a helmet on but he does not he's just like throwing kids left and right but I'll tell you this once those kids get bigger or he gets promoted to

the next league where he's may be as strong as other people he might not have taken the time to learn the techniques that he needs in order to move on to the next level or the in order to continue to succeed you can you look at him as opposed to Rudy Daniel root ruining her um this is the guy who the movie Rudy was about Notre Dame player football player he only made he was only playing in Notre Dame for three plays in his entire life but he set a goal way on early on in his high school life and and he said I want to play for Notre Dame and he tried to get into Notre Dame and he didn't his

grades weren't good enough so he joined the Navy and then after he got out of the Navy he went to a two-year college and he learned there then he got into to a Notre Dame but he didn't get on the football team because he was too small he's only five six and 160 pounds but he kept trying and he kept doing things and participating and the final game of it the final putting the final play in plays of the final game of his college career coach put him in and the dude got the final tackle that ended the game it was a sack on the quarterback and he is only one of two people that ever got

carried off the the field on people's shoulders not like on a stretcher he was the only psyche no I've watched the game before we've seen a lot of people carried out now he's only one of two people if you believe Wikipedia that were carried on I carried on the shoulders of the team players off the field because he tried and he kept trying and that's important he's surrounded himself with people that were much smarter and bigger and badder than himself and then here's my last tip you got to realize that not everybody out there's like you this was a hard hard idea and concept for me to understand you know I go play some like well why didn't they

pick that up that's easy that's easy I could pick this line I can pick this six pinlock really simple I don't see why it's taking you so long I had a hard time understanding that not everybody was like me until I heard a talk by info' Jenner sitting right there in the audience I'm gonna call yeah brother um he gave a talk and it's talking Nova hackers was about the different types of people in info sack and he needs to help me understand that there are a lot of different people in infos nation security or just in information technology some people are there because they're hobbyist itting site it excites them to play with this

little tiny Raspberry Pi computer just to make a light blink on and off some people love doing that kind of stuff cool we need you there's some people that go to work they put in a solid 9 to 5 they do their job really really well but when they get home they're playing with their kids or they're helping out somebody else or they're doing sports or something else like that and they leave InfoSec at the office and that's cool we need you to in the industry there's some people that are 24/7 people they immerse themselves in the InfoSec lifestyle they're in their off hours they go home and they're coding up some open-source project or you know these are the type

of people that when they walk by like a porcelain point-of-sale system and they see the USB points pointing towards the customer they're like I could do this I could exploit that system with one bad USB but they don't because they're ethical people as well no but these are the people that we also need in fact the information security community needs all of those people because everybody contributes whether you're finding the next cool way to hook up on Apple TV or whether you're inventing some new type of attack or defense and we need you and so our industry in our in person Marg and if you do some of these things I'm not saying that you have to make this

into a checklist my goal was to start with number one then work my way through 14 you don't have to do that ladies and gentlemen although that would be impressive if you do come back here next you're like I followed like this plan here's my misadventures and you could give a talk here next year but these are the ways that you can participate in the community and you've started today some of you go pick a lock go talk to some of the people here share your knowledge and grow and that's my talk please don't thank you very much there any questions for me anybody have any questions for me yes sir you thought no that's you in the red

shirt yes sir yeah yeah where do you where do you where tell me where to start within that grand cake right so the genre mentions you know so if information security is this wide information technology is this wide and and where do I even start within that to gain that foundational experience that's a very valid question sir and I can tell you that the best place for you to start is somewhere that interests you if you start out doing what I tell you to do oh I'm going and do some web hacking or go ahead and learn Python that might be my way of doing it look in the blogs look on Twitter look on other places come

talk to me or some of these other people go to one of these groups and see what interests you within there and then start learning a little bit about that and variably you'll have this kind of spider and branching out thing where you're like oh I learned some Python that was kind of fun oh I can figure it out I can make web calls well with that web calls I'll bet I can scrape dado if I can scrape data and now I can do and that will lead you in other places the foundational things learning networking XCore learning how systems run that's core also as well okay yeah thank you for asking anybody else questions no all

right thank you very much again enjoy your day