Wednesday, October 3, 2012

My DerbyCon Talk

First let me say how great DerbyCon was, the content, the people, the staff, everything about it was ideal.  Second let me thank the people who ran it for selecting my talk.  I was surprised and very excited that I got to speak.

My talk was in the small room and against some stiff competition at the 4PM Sat slot and several Chicago land people I know went to Ben0xA's talk instead, which I totally understand.  His talk rocked.  But the room was almost totally full anyway and I think only one person walked out on me which is rather good for a Con, so it worked out fine I think.

I was pretty nervous in the beginning and talking a bit faster than I needed to, something I even say at some point.  I was afraid I would run out of time.  Once I noticed how fast I was going I loosened up a bit and remembered to tell the audience to ask questions which I meant to do in the beginning but forgot.  So they did, and their questions were great!  Several questions reminded me to talk about something that I planed to talk about but forgot like how to say no to people who you have to make sure keep liking you if you want to keep your job.  Seriously the questions improved the talk and I love how smart everyone is at Cons like this.

At the end I got a lot of positive feedback and people wanting to continue the conversation which we did at the hotel bar and it was great.  For my first talk at a large Con I'm putting this down as a success.

I posted the slides at the securityhangout forum, the direct link to the post is

The video can be seen here:

All the video's are here:, I recommend checking out tons of them.

Let me know what you think of the talk and slides.  I'm always looking to learn and to improve.

Tuesday, October 2, 2012

DerbyCon 2.0

I must say, DerbyCon was great this year.  I missed it last year and had high expectations going into it based on what I heard and it was even better than I expected!

First off, checking in took about 30 seconds, seriously.  Also I could always get into any talk I wanted to get in and even find a seat.  The hotel seemed to like us and people hung out and drank and talked in the lobby all night and it was a ton of fun and very relaxed.

BurbonCon was great, it was like ChiSec, BurbSec, and BurbSec-West all came together in one place.  Really the only bad thing was I couldn't see everything I wanted to and the stable talks weren't recorded.  I wish I knew they weren't being recorded earlier on I would have gone to more of those, there were some really good ones I missed.

This was also my first time speaking at what I would consider a major conference.  I'll blog about my talk separate and not bore you about the content here.  But I think it went pretty well.  The audience got into it after about 10 minutes when I finally loosened up, I was pretty nervous in the beginning.  I got a lot of great questions that moved the talk along and proved how smart everyone in the audience was.  And I got some great feedback afterwords which made me feel pretty good.  Ryan Reynolds came up to me and told me how much he liked it and he gave one of my favorite talks this year at DEF CON, that really made my day.

All in all it was great.  Now I'm hitting to watch some talks I missed.  Starting with Ben0xA's talk which was at the same time as mine, I heard it was good and really funny.   

Tuesday, September 11, 2012 is Born!

I just launched as a website for IT security folks to hang out, ask questions of their peers, get answers, learn, etc.  The main hangout is at  Right now it is pretty empty, but I really hope people will register and start posting.  If I get enough active members I can expand it to include more than just a board to post info.  I have a lot of ideas and if the community there grows I'll be asking them for ideas too.  But for now I'm going to see if there is a desire for such a place and if it gets traction before putting a lot of effort into it.  Here are some of the rules that I hope will get you interested:

1. Be respectful, this isn't a place for flame wars

2. No sales pitches, even in PM's, this is a place for peers to be able to talk

3. No spam or spam like posts

I will be approving membership and monitoring posts and banning people who post spam or are trying to sell a product or themselves instead of contribute.  So let's see how this goes.  Sign up today and get the cool names before they are gone!

Saturday, August 25, 2012

Help fix the CISSP

I got my CISSP in 2001.  Times were different back then.  I wanted a non-vendor security certificate because that was what I was doing and that seemed to be the only game in town.  The only other security certs I knew of were vendor ones, firewalls, etc, which I had already.  There were no books or study guides you could buy at the book store.  There was one book you could buy directly from the author, which I did, but it was unreadable garbage and totally worthless.  Getting a CISSP without taking any training seemed daunting.  So what I did was searched the Internet and found HTML formats of some presentations that looked to be some basic training.  I read those and made my own study guide based on the information that was totally new to me. Stupid Orange Book levels and physical security terms that I have never had a use for to this day.  But whatever.  The economy sucked in 2001 (by standards up until that point anyway) and I had two weeks of unpaid vacation I had to take.  So I took them before the test and studied every day.  I was really trying hard to pass this test, one I heard was very hard to pass especially without taking the training.

So I took the test and I was done in about an hour and I felt like I just wasted those two weeks.  It seemed very easy to me.  I couldn't believe it.  Yes there were some Orange Book and CCTV questions, but I really only needed to study for that for a few days.  I really over did it.  But whatever, I passed (so I found out weeks later) and life is good.

Now over the past decade or so since then here is what I have noticed:

  1. The worst security  professionals  I've ever met had a CISSP
  2. Most of the really bad security  professionals I've met had their CISSP
  3. I've met a lot of CISSP's that had no real world security experience and were using the cert to try to break into the industry, some have never even worked in IT
  4. A large number of really good security professionals don't have their CISSP
  5. I personally know a lot of people who have taken the test, and I have yet to every meet anyone who hasn't passed it, I'm not sure anyone fails it 
It turns out I'm not the only one that has noticed those five things.  This has lead a to a large number of leaders in the security community to call out the CISSP as worthless, or worse.  It doesn't give any assurance that the holder of the cert is competent or experienced.  Heck, it doesn't even do the job of establishing a common language in our community.  What this means is the cert is getting less valuable, which is bad for everyone that has it.  And I think bad for the industry, I think a generic cert like the CISSP could ad a lot of value if done right.  I know others disagree, but I'm an optimist.

What this means for you:  
If you don't have a CISSP, don't get one until this is fixed!  Seriously, stop using it to try to get a job.  If you have a job, look elsewhere to advance your career, you won't learn anything worthwhile getting a CISSP as it is today.  

If you do have one, then vote for new leadership!  Go here:  and sign the petition for those four fine people who are looking to fix these problems and when the time comes vote for them, and only them.  And every time you get those elections emails from the ISC2, don't ignore them.  Look for reformers and vote them in.  It make take some time but let's get enough reformers on the board to get this cert and all certs by ISC2 fixed!

First Blog.

I'm starting a blog and we will see how it goes.  This is going to be a professorial blog, not a personal one.  My goal is to blog about security architecture, leadership, and pen testing.  All three are topics of great interest to me and areas I feel I have knowledge and the ability to contribute to the greater good.  I'll also blog about the security industry in general.  Enjoy.