You can’t vouch for your own bug. You will always see it as the most beautiful bug that ever did bug. Doesn’t matter if you’re the one who does the thing, or even if you’re right. If it needs a vouch, recuse yourself. It’s ok. It’ll hold up on its own, or not. Learn either way.
On the flip side, be careful whose vouches you do trust. Review boards have drama that has absolutely nothing to do with you, starting from the reality that they can’t accept all the good talks. No room.
People in such situations sometimes get shitty. Don’t take it personally.
People in such situations sometimes get shitty. Don’t take it personally.
You absolutely need external calibration. You’ll eventually notice our culture (for *many* definitions of our) has a positive feedback problem.
A rule of thumb is, don’t seek approval from those who reject everything. What can you expect?
No easy answers here.
A rule of thumb is, don’t seek approval from those who reject everything. What can you expect?
No easy answers here.
Keep having fun. There’s a reason fun exists. Learning *should* feel good!
If you’re teaching yourself something, make sure you give yourself opportunities to win at regular intervals. You don’t actually know things will work, so give yourself more chances to experience progress
If you’re teaching yourself something, make sure you give yourself opportunities to win at regular intervals. You don’t actually know things will work, so give yourself more chances to experience progress
The war is against burnout. Don’t forget that. Money does not cure burnout. Be kind to yourself, don’t think working for yourself doesn’t mean your boss can’t be an asshole. You’d assume. You’d be wrong.
Under no circumstances share a hotel room with another consultant.
Under no circumstances share a hotel room with another consultant.
There’s no wrong way to do it. Some hack alone, some hack with peers, some learn from mentors. Some do web, some do RE, some do social. If it’s pwned, it’s pwned.
Ok, yes, if there’s just a 200 page report of TLS nitpicks, it’s not pwned. Just isn’t.
Write well. Take the time.
Ok, yes, if there’s just a 200 page report of TLS nitpicks, it’s not pwned. Just isn’t.
Write well. Take the time.
If somebody wants to nerd out with you in the hallway at con, unless you *absolutely* have to be somewhere — they are the most awesome person in the world at that very moment. Doesn’t matter if they’re competent or not. Does matter if they’re curious!
Explore. Yes, you get to.
Explore. Yes, you get to.
As @dinodaizovi recently said, hack things, not people. We are very ... playful when it comes to repurposing things.
Don’t extend that to people. The social engineers are working a job. That’s different. Constrained. Don’t become, as Dino says, a psychopath.
Don’t extend that to people. The social engineers are working a job. That’s different. Constrained. Don’t become, as Dino says, a psychopath.
If you can just ask the dev, just ask the dev. White hat superpower. Trust me, your mental models of why things were written a certain way are wrong. That’s why your hacks work :)
When they explain something to you, listen for what they’re not worried about. Look there.
When they explain something to you, listen for what they’re not worried about. Look there.
If you ever have a chance to defend a team from a bullshit bug, do. Nothing makes you more credible.
You can spend too much time on Twitter.
Don’t let the best record of your work be your slides. At bare minimum, make sure to package your code.
Write the docs. If only for yourself! Yes, you’ll forget things.
Don’t let the best record of your work be your slides. At bare minimum, make sure to package your code.
Write the docs. If only for yourself! Yes, you’ll forget things.
Never, ever fake a demo. Not a thing I’ve done (well, except for that one time I faked a demo failing, which immediately turned into the demo actually failing, and getting restarted on stage. AWKWARD).
Anyway, don’t. The universe will conspire against you. It’s amazing.
Anyway, don’t. The universe will conspire against you. It’s amazing.
Mentorship is worth much more than salary. Freedom to explore is as well. My first job paid about 40% of my highest offer, but it offered much more freedom to learn.
Yes, you do get to invest in yourself like that. The job that pays the most might have to, to get anyone to stay.
Yes, you do get to invest in yourself like that. The job that pays the most might have to, to get anyone to stay.
Want the people around you to win. Don’t overaccount — if you can help, do. You can always be a rubber duck — just let people explain a thing to you. In trying to translate, they often figure out their issue.
And yes, you learn this way. From anyone, as long as they’re curious.
And yes, you learn this way. From anyone, as long as they’re curious.
Not everybody’s curious. It’s ok. Takes all kinds.
Don’t gloat. Don’t threaten to expose someone to management for their bad code. This sounds dumb, well, I screwed this up once and knew it IMMEDIATELY.
You’ll do a few dumb things. Try to notice. Apologize.
You’re seeing other people’s babies through very naive eyes. Be kind.
You’ll do a few dumb things. Try to notice. Apologize.
You’re seeing other people’s babies through very naive eyes. Be kind.
You are never, ever too “junior” to talk to anyone in Infosec. There’s no bar you must pass, talk you must give, code you must write before you’re qualified to nerd out with someone. Anyone. Really.
Trust me, the “famous” nerds miss the heck out of you.
Trust me, the “famous” nerds miss the heck out of you.
I’ve said this before, but:
Hackers are not rockstars. You know who are rockstars? ROCKSTARS.
we ain’t rockstars we just code a lot
Hackers are not rockstars. You know who are rockstars? ROCKSTARS.
we ain’t rockstars we just code a lot
Anyway, just being an old nerd, musing about how you kids can have more fun on my lawn :)
Ah.
There’s much more to hacking than pwnage. It’s not just about breaking in and beating somebody.
We’ve got a lot of new toys. They’re supposed to do one thing. What else can they do?
Not every hack is some horrifying threat to humanity. Sometimes you help the color blind!
There’s much more to hacking than pwnage. It’s not just about breaking in and beating somebody.
We’ve got a lot of new toys. They’re supposed to do one thing. What else can they do?
Not every hack is some horrifying threat to humanity. Sometimes you help the color blind!
Build things, regularly. Especially things that have nothing to do with security.
Nothing will make your skills go stale faster than *only* breaking stuff. You will stop knowing what things to break, or how they imagine the world works.
This is a problem. We make poor tools.
Nothing will make your skills go stale faster than *only* breaking stuff. You will stop knowing what things to break, or how they imagine the world works.
This is a problem. We make poor tools.
A bit of your time will be remembered for years. For good, and sadly, for bad as well.
Be good to people, it matters so much.
Be good to people, it matters so much.
Try, and try again. There is no do.
If you don’t think anyone wants you to win —
I do. Write me something awesome. Build me crazy, fun, inspired.
I want you to win!
You don’t need permission to be awesome. But if you like, I wave my Kona Harry Potter Bluetooth magic wand. Accio Awesome!
I do. Write me something awesome. Build me crazy, fun, inspired.
I want you to win!
You don’t need permission to be awesome. But if you like, I wave my Kona Harry Potter Bluetooth magic wand. Accio Awesome!
Want someone around you to win, as well. Help ‘em out. We lift eachother up. More fun that way!
We ain’t doing this to be *bored* :)
We ain’t doing this to be *bored* :)
Heh. Nobody’s as happy as they look. Best I can tell, everyone’s on fire.
Lots of ways to burn.
Protect your curiosity. Seek it in others. You’re not “supposed to already know”...anything. That’s the fun of hacking. Pawing around in the darkness, discovering accidental beauty.
Lots of ways to burn.
Protect your curiosity. Seek it in others. You’re not “supposed to already know”...anything. That’s the fun of hacking. Pawing around in the darkness, discovering accidental beauty.
Ok, so. Microphones are speakers, if you run power in the other direction. Doesn’t sound great, but it does a thing.
LEDs are solar panels, in exactly the same way.
In fact — solar panels are LEDs too. Run em backwards, they glow.
Hacking is mostly ignoring the directions.
LEDs are solar panels, in exactly the same way.
In fact — solar panels are LEDs too. Run em backwards, they glow.
Hacking is mostly ignoring the directions.
It’s impossible to express how safe and welcoming #DEFCON was for me. It was the first event I ever attended where random people were actually curious about my bizarre chicanery.
There’s all sorts of toxic pressures nowadays. But the magic is still around. Really.
There’s all sorts of toxic pressures nowadays. But the magic is still around. Really.
These are hard times for curiousity. It has a cost, you know. Everything you learn will be compared against every future experience. Learn toxicity, and your future becomes nothing but correctly predicted toxicity.
It becomes what you know.
Nerdery is knowing something else.
It becomes what you know.
Nerdery is knowing something else.
That was 20 minutes of my life well spent :)
I had some guy at a random table at #Defcon who thought what I was playing with was hilarious. He wasn’t famous (as far as I know), he wasn’t some master. Just curious.
Be that guy. Listen. Laugh. Learn.
I had some guy at a random table at #Defcon who thought what I was playing with was hilarious. He wasn’t famous (as far as I know), he wasn’t some master. Just curious.
Be that guy. Listen. Laugh. Learn.
Some people speak. Some don’t. *slaps roof* This Infosec bad boy fits so many personality types!
Two things that guided my talks:
1) I’m telling my friends a story about some funny things I found.
2) Talk about a few things, so the confused can rejoin a thread.
Just my way.
Two things that guided my talks:
1) I’m telling my friends a story about some funny things I found.
2) Talk about a few things, so the confused can rejoin a thread.
Just my way.
This is important:
Talks are not about you. That’s different than school, sometimes work. There, you may well be proving you know a thing other people already know.
Hacking is exploring the unknown. This is not a test. You have a curious audience. What could *they* know?
Talks are not about you. That’s different than school, sometimes work. There, you may well be proving you know a thing other people already know.
Hacking is exploring the unknown. This is not a test. You have a curious audience. What could *they* know?
It’s a little like snowboarding. You go where you look.
If you’re looking to have people know you’re smart, that’s the talk you’ll give.
If you’re looking to have people know about this cool thing, that’s the talk you’ll give.
You might like the former. Would your audience?
If you’re looking to have people know you’re smart, that’s the talk you’ll give.
If you’re looking to have people know about this cool thing, that’s the talk you’ll give.
You might like the former. Would your audience?
“Why would somebody want to listen to me” is something you do need to think about.
I assure you, this is deeply controversial. A lot of human communication is failing nowadays because nobody wants to listen. Nobody wants to know your shit. Their brains are full. Happens.
I assure you, this is deeply controversial. A lot of human communication is failing nowadays because nobody wants to listen. Nobody wants to know your shit. Their brains are full. Happens.
This thread is absolutely a love letter to everything I’ve treasured, being an Infosec nerd. A *lot* of people were kinder than they had to be. I’m proud to say I did everything I knew to return the favor, and not ashamed to admit I didn’t always know how.
But I can document :)
But I can document :)
I think quite a bit about the iSec model that @alexstamos and crew found great success with.
You couldn’t hire an iSec master consultant without also hiring their apprentice. Just wasn’t an option.
iSec was a *factory* that emitted *masters*.
We lift eachother up. If we choose
You couldn’t hire an iSec master consultant without also hiring their apprentice. Just wasn’t an option.
iSec was a *factory* that emitted *masters*.
We lift eachother up. If we choose
“Multi-scale graphs over time” is a pretty useful mental widget for modeling things, I’ve found.
It’s kind of funny. This thread begins with an assumption that the reader was there for my big DNS patchathon that didn’t exactly go according to plan, but mostly resolved ok.
Heh. It’s been a while. Remember, people don’t just forget. Often they simply weren’t around back then.
Heh. It’s been a while. Remember, people don’t just forget. Often they simply weren’t around back then.
A lot of people were kinder than they could have been. Some were meaner. Cruel, even. I held grudges for *years*.
Grudges are a tax. They only *feel* good. You’re still paying.
This is why they’re not nearly as transitive as you might like. Grudges suck, even for the begrudged.
Grudges are a tax. They only *feel* good. You’re still paying.
This is why they’re not nearly as transitive as you might like. Grudges suck, even for the begrudged.
Every grudge I’ve ever ended has made me a happier man. Doesn’t mean I interact with a particular person anymore, but I don’t bristle at signs that they’re still alive.
If somebody helped you — always feel free to let them know. They may not. Really.
There is no statute of limitations on being thankful. Years, decades, doesn’t matter. Now is always a good time.
Best when you don’t need them for any reason.
Notice the helpers.
There is no statute of limitations on being thankful. Years, decades, doesn’t matter. Now is always a good time.
Best when you don’t need them for any reason.
Notice the helpers.
These aren’t empty platitudes. There’s some hard lessons, that our culture has gotten pretty awkward about teaching. We know a lot of things straight up do not work and mask it by cutting off further contact.
I’m in the muck with all of you. I’m calling out what I’ve seen help.
I’m in the muck with all of you. I’m calling out what I’ve seen help.
At the end of the day, I’m old, and tired, tapping thoughts into a faith-based keyboard, hoping I can do a thing or two for the next nerd full of silly magical ideas.
Hoping you will too.
Hoping you will too.
Some things I’ve been particularly impressed by:
Blackhoodie. Hell yeah, let’s teach women how to reverse.
Rootz Asylum. Hell yeah, let’s give kids a place at Defcon.
BSides: Hell yeah, we can have a con there too.
Hell yeah, there’s a bit of a theme here.
Blackhoodie. Hell yeah, let’s teach women how to reverse.
Rootz Asylum. Hell yeah, let’s give kids a place at Defcon.
BSides: Hell yeah, we can have a con there too.
Hell yeah, there’s a bit of a theme here.
This is such great advice I’m just going to point at it. Don’t “just” do Infosec.
The blackest magicks I’ve ever summoned started from learning how to drive WS2812 LEDs with sub-millisecond precision on commodity SBC’s. Oh, is that how time works? COOL
The best thing you’ll learn from Infosec is that, really, you can mess with anything. ANYTHING. Yeah, it might crash, but that’s a win in these parts.
Doesn’t mean you should. But functional fixedness is a problem, and it’s choking innovation everywhere.
Everything can do more.
Doesn’t mean you should. But functional fixedness is a problem, and it’s choking innovation everywhere.
Everything can do more.
There’s a culture war going on, and it’s come for tech. Be sympathetic. Nerds aren’t supposed to be bullies, but we sure took everyone’s lunch money. Journalism got defunded, and “user generated content” is not enough.
But don’t forget that tech can be fun and useful. Some do.
But don’t forget that tech can be fun and useful. Some do.
