Friday, December 28, 2018

2018 InfoSec Tweet Awards

As 2018 comes to a close, it becomes time once again for the annual InfoSec Tweets Awards!  This marks the 7th year running.  As long as you keep reading these posts, I'll keep writing them.

As in previous years, there are no actual awards.  These are just funny or thought provoking tweets that I've "favorited" over the year (I still refuse to call them "likes").  As always, categories are completely arbitrary and I make them up as I go along...

Best Tweet About Metasploit

Best Tweet About GDPR

Best Tweet About Cryptocurrency

Best Tweet About Vendors

Best Tweet About Certifications

Best Tweet About Education

Best Tweet with Hiring Advice

Best "Truth in InfoSec" Tweet

Inspirational Tweet of the Year!

As you can see, this year I have forgone the “Tweet of the Year” in favor of an “Inspirational Tweet of the Year”.  While not strictly InfoSec related, coding is a notable part of our industry and Ms. Alexis serves as an inspiration to us all.  

Thank you to everyone in the community for providing so much great content to choose from and special thanks to those who were featured above.  Feel free to comment below with any Twitter gems I inevitably overlooked and I encourage you to send me tweets throughout the coming year for the next InfoSec Tweet Awards.  

I wish you all health and happiness in 2019 and hope to see many of you soon.  

Happy New Year!

Sunday, December 31, 2017

2017 InfoSec Tweet Awards

Another year done.  You know what that means?  It's time for the annual InfoSec Tweets Awards!  This marks the 6th year running.  As you long as you keep reading them, I'll keep writing them. 

As in previous years, there are no actual awards.  These are just funny or thought provoking tweets that I've "favorited" over the year (I still refuse to call them "likes").  As always, categories are completely arbitrary and I make them up as I go along...

Best Tweet Inspired by a Movie

Best Tweet About Passwords

Best Tweet About Browsers

Best Tweet About Twitter

Best Tweet About Pentesting

Best Tweet About Healthcare

Best Tweet About Food

Best Tweet on the Hacker Mindset

Best Tweet to Combat Imposter Syndrome

Best Tweet with Practical Advice

Best Tweet on Marketing

Best Use of a Meme

Best Tweet of the Year! 🌠
(you both get credit for this one-two punch)

That's a wrap for 2017.  It's been an interesting year filled with record breaking breaches, crypto malware and the like.  No doubt this has kept many of you busy and as the year winds down it's my hope that this annual post will give you a laugh or two .  Feel free to comment below with any Twitter gems that I inevitably overlooked.  

I wish you all health and happiness in 2018 and hope to see many of you soon.  

Happy New Year!

Saturday, December 31, 2016

2016 InfoSec Tweet Awards

Welcome back good reader.  This year marks the 5th Annual InfoSec Tweets Awards!  It's hard to believe I've been doing this for half a decade.

In 2016 I reduced the number of accounts I follow and I'm not as obsessive about reading every tweet, but there were still plenty of gems to choose from.

As in previous years, there are no actual awards.  These are just funny or thought provoking tweets that I've "favorited" over the year (I still refuse to call them "likes").  As always, categories are completely arbitrary and I make them up as I go along...

Best Tweet Inspired by a TV Show

Best Tweet Inspired by a Movie

Best Tweet About CISSPs

Best Tweet About Auditors

Best Tweet About DevOps

Best Tweet About A Text Editor

Best Tweet About Education in InfoSec

Best Tweet About Skill Shortage in InfoSec

Best Tweet About Travel (tie)

Best Tweet About Dating in InfoSec (tie)

Best "Threat Landscape" Tweet

Best Poem in a Tweet

Best InfoSec Analogy in a Tweet

Best Tweet Telling It Like It Is

Well, that's a wrap for 2016.  I know this year has sucked for a lot of you.  We've lost loved ones and those who inspire us, but this does not diminish the impact they've had on our lives and the people we are because of them. With that said, on this New Year's Eve, let us celebrate the good things in our lives and cherish those who are still with us.  I wish you all health and happiness in 2017 and hope to see many of you soon.  

Happy New Year!

Friday, December 30, 2016

Defeating the Rebellion with Security Controls: A Star Wars Story

The weekend Rogue One: A Star Wars Story was released a conversation started on Twitter discussing the missteps made by the Empire which inevitably lead to the theft of the Death Star plans.  To avoid spoiling the movie for everyone, Wolf Goerlich (@jwgoerlich) and I moved the conversation to direct messages.  He has since posted two great videos, "Rogue One and InfoSec" Part 1 & Part 2.  You can find them on his informative YouTube series, Stuck In Traffic with Wolf Goerlich

What follows are my thoughts on the controls the Empire could have implemented to thwart the Rebellion.


Prohibit BYOD (Bring Your Own Droid)

From R2-D2 to BB-8 it seems everyone has their own personal droids in the Star Wars universe.  Most are designed with a specific task (Astro Mechs, Protocol Droids, etc.) but all are capable of storing large quantities of data and many are equipped with universal Scomp Links or computer interface arms that allow them to access any computer terminal.  Had the Empire prohibited BYOD and implemented network access controls then unauthorized assets (droids) would be unable to connect to computer terminals in the first place.

Design Review

In Rogue One, Galen Erso is the unwilling head of the Kyber Crystal Research Team working on the Death Star.  In this role he was able to architect a flaw in the reactor that would lead to its destruction during the Battle of Yavin.  In the movie, a holo-recording of Erso recounted how he had made himself indispensable, "all the while laying the groundwork for revenge."  He accomplished this by, "placing a weakness deep within the system, a flaw so small and powerful that they will never find it."

The construction of the Death Star was a massive undertaking, one executed with military precision.  This should have included extensive reviews of the initial design as well as architectural, electrical, mechanical (and crystalic?) inspections during construction.  Appropriate checks and balances would have prevented this flaw from being introduced.

Asset Management and Clearance Code Revocation

During the escape from Eadu the rebels steal an Imperial cargo shuttle.  This ship contains clearance codes that allow them to pass through the shield gate and land on Scarif.  Chronologically this may be the first time this tactic was used, but as we have seen in Return of the Jedi, the Rebel Alliance would later steal a shuttle in order to bypass the deflector shield and land on the forest moon of Endor.  Had the Empire implemented better asset management they would have known these shuttles were stolen and could have revoked the clearance codes.  The Empire may have even gone one step further by implementing a system that would allow them to remotely disable the engines on stolen star ships.

Two-Factor Authentication

Upon gaining entrance to the citadel tower (simply by donning stolen uniforms) Jyn and Cassian access the data vault by placing the hand of an unconscious officer on a biometric pad.  While some argue that biometric authentication is better than a password, by requiring a combination of the two, the Empire could have prevented access to its sensitive proprietary information.

Data Encryption 

Once inside the data vault, Jyn and Cassian were met with a six story shaft containing a spire filled with "data tapes".  The design is reminiscent of a StorageTek 4400 ACS tape library. Following the identification of the correct tape and Jyn's harrowing escape, she makes her way to the satellite dish in order to transmit the plans to the Rebel Fleet.  Once received, the data is transferred to several different forms of media before finally landing in the hands of Princess Leia who included them with her message to Obi-Wan Kenobi inside R2-D2.  Had the Empire encrypted this data the rebellion would have likely ended on Scarif, the Battle of Yavin would never have taken place, and the Death Star would have gone on to destroy countless other planets.

Final Note 

While it's easy to point out the shortcomings of the Empire, the lack of controls are all too prevalent in the real world.  There are plenty of reasons these controls might not have been implemented.  The Death Star was a massive undertaking.  It is possible that all resources were diverted to its construction and any budget for controls were denied.  Perhaps in a galaxy far, far away there exists an InfoSec skill shortage.  Lastly, it could be the culture of arrogance that was prevalent throughout the Empire.  After all, who could hack the all powerful Galactic Empire?

Thursday, January 14, 2016

Breaking Into Security: A Compendium

Like most Information Security practitioners, I am frequently contacted for advice on breaking into this industry.  Rather than write yet another blog post on the subject, I thought it would be more beneficial to collect a variety of quality posts covering different aspects of the industry and provide them as a quick an easy reference.

In reverse chronological order:

Starting an InfoSec Career – The Megamix   Lesley Carhart (@hacks4pancakes)
If you have no idea where to start then begin here.  Hacks4pancakes has done an amazing job and her "Megamix" is probably the most comprehensive series of articles on breaking into security.
How to become a pentester   Peter Van Eeckhoutte (@corelanc0d3r)
Corelanc0d3r is the go-to guy for training when it comes to exploit development.  He has written an extensive post covering time, effort, and the general mind set of a pentester.  He also provides links to resources and a list of companies willing to hire inexperienced pentesters.
20 of the Most Misguided Beliefs About InfoSec   David Spark (@dspark)
While this is not technically a "how to break into security" post it does debunk a lot of common misconceptions about security which can be just as valuable when starting your career in InfoSec.  
Answers on how to get started in Security   Chris Gates (@carnal0wnage)
Chris provides sound advice on getting started in pentesting, but the best part of this post is the list of book recommendations sorted by area of focus (pentesting, netsec, webappsec, social engineering and physsec/redteam)
Finding And Using A Mentor   Wolf Goerlich (@jwgoerlich)
In Wolf's blog post he expands upon a recent Forbes article on mentorship and provides the InfoSec perspective on finding and benefiting from a mentor.  He's also recently posted a Career Advice Video (avalable here).
How to Build a Successful Information Security Career   Daniel Miessler (@DanielMiessler)
Dan's post includes the usual advise for starting out but also addresses the areas in which you will need to grow as your career progresses.
Education & InfoSec   Steven Maske [me] (@ITSecurity)
This was my personal take on all the different ways you can learn our trade.
Hack the Hustle! [Video]   Eve Adams (@HackerHuntress)
Think you know how to write an InfoSec resume?  Are you sure?  Find out from a respected technical recruiter who understands the needs of our industry.

Thoughts On Being Asked “How Do I Get Into INFOSEC?”   Scot Terban (@Krypt3ia)
A (surprisingly calm) reality check from my favorite security curmudgeon.  Read this for an idea of the expectations that you will face IRL. TL;DR: InfoSec is not for those without dedication. 
How To Break Into Security   Brian Krebs (@briankrebs)
If you don't know who Brian Krebs is, you will.  He is one of the more well known reporters in our industry and his site, Krebs on Security is one of the few InfoSec news sources that is read by people outside of our industry. Back in 2012 he conducted a series of interviews on how to break into security. 

Thursday, December 31, 2015

2015 InfoSec Tweet Awards

It's December 31th so that must mean it's time for the 4th annual InfoSec Tweet Awards!  Over 2,100 of you read last years post (my 2nd most popular to date) so it seems I should continuing the tradition.

As in previous years, there are no actual awards.  These are just funny or thought provoking tweets that I've "favorited" over the year (yes, I know twitter now calls them "likes").  As always, categories are completely arbitrary. I make them up as I go along...

Best Tweet Inspired by a Song (Tie)

Best Tweet Inspired by a Holiday (Tie)

Best Tweet That Should be on a T-Shirt (and already is)

Best Tweet About Phishing

Best Tweet About the Cloud

Best Tweet About the Internet of Things

Best Tweet About Threat Intelligence

Best Tweet About Recruiting

Best Work/Life Balance Tweet

Best "IT is Hard" Tweet

Best InfoSec "Pick-up Line" Tweet

Best InfoSec Parenting Tweet

Best "Out of the Mouth of Babes" Tweet

Best Tweet "That Understands My Pain"

Best Twitter... um... –er

Last but not least we have the "award" for the person who posted the best overall tweets of the year.

And the winner is.... Security Humor (@SecurityHumor)! Security Humor is hardly a new account. This month marks the sixth year s/he has provided funny quips 140 characters at a time. The Security Humor account has been in the running for this coveted(?) award for the last two years and only narrowly lost to InfoSec Taylor Swift (@SwiftOnSecurity) and Info Security Jerk (@infosecjerk)

If you follow one new account this year it should be @SecurityHumor. Below are a few recent gems:

This concludes the 2015 Tweet Awards. Please feel free to share your favorite tweets in the comments below. I wish you and yours a very Happy New Year!

Friday, August 7, 2015

Review: Hacktivist Vol. 1

A year and a half ago I reviewed the first issue of "Alyssa Milano's Hacktivist" (see review here).  With last week's release of Volume 2, Issue #1, I thought it about time to review the rest of the original story arc.

"Hacktivist" re-imagines the event of the Arab Spring uprising that occurred in 2010/2011.  This is the central focus of the story.  The sociopolitical events and accomplishments of the activists are much more important than the "hack" part of "Hactivist".

If you work in InfoSec or any other IT related field, you are going to have to suspend your disbelief when reading this story.  There is some effort to use language familiar to the technically inclined however, it's apparent that the writers don't really have a complete understanding of the lexicon.  Don't get me wrong, "Hacktivist" is not as bad as "Live Free or Die Hard" (a.k.a Die Hard: Hack all the Things) but, let's suffice it to say that some liberties have been taken.

Another aspect of the story I found particularly unrealistic is the interaction between the CIA and the founders of the Facebook-esque company, "Your Life".  The way in which the CIA initially approaches the founders and the nature of the business proposal (while common in entertainment) was not very realistic.  This is a little disappointing for a story that tries to take itself more seriously.  I also find fault with the government's response when things don't go their way.  To avoid any spoilers, let's just say that if Mark Zuckerberg decided to shut down Facebook and sell your personal information, he wouldn't be called the country's #1 threat.

If you can forgive these issues, there is an interesting, albeit somewhat short story.  All-in-all it's an entertaining read and for $1.99 per issue (4 total) there are worse ways to spend your money.

You can pick up "Hacktivist" at your local comic shop or a digital copies at

Monday, June 29, 2015

Book Review: Spam Nation

As an Information Security practitioner I am no stranger to Brian Krebs.  He is undoubtedly the foremost investigative reporter covering "cyber crime" (yes, I said "cyber").  I've followed his work since the mid-90's, first on the "Security Fix" blog at the The Washington Post and (naturally) at I was eager to read this book and finally got around to picking it up a few weeks ago.

Spam Nation is a quasi-autobiographical retelling of Mr. Krebs coverage on the spam industry and pharma-wars.  If you’ve familiar with his work you’ll likely recognize many of the stories.  The book recounts previous news articles with added exposition, provides insights from the author, and includes numerous interviews with both spammers and the people who bought their products.

All in all, Spam Nation is an easy read that is written to appeal to a wide audience.  If you're a seasoned InfoSec professional you won't find a lot of new information however, this book serves as a good review of the golden days of spam and the pharma-wars.  If you are new to the industry (< 10 years) then this is a must read.  It serves as an origin story for spam and it's a good idea to acquaint yourself with its roots.

Lastly, keep in mind that this book wasn't written for the InfoSec community.  It is written for the general public and the language and writing style reflect that.  With that said, I also recommend this book to friends and family.  It provides solid insight into one facet of our world.

Spam Nation is avalable on Amazon here.

Wednesday, December 31, 2014

2014 InfoSec Tweet Awards

Welcome to the third annual InfoSec Tweet Awards!  These posts continue to be some of the more popular blog entries on so I feel compelled to continue the series.
As in previous years, there are no actual awards.  These are just funny or thought provoking tweets that I've "favorited" over the last year. Also, you will notice that the categories have changed.  This is because they are completely arbitrary. I make them up as I go along. So without further ado...

Best Tweet Inspired by a Movie

Best Tweet Inspired by a Song (Tie)

Best Tweet Inspired by the Holidays (Tie)

Best Tweet on How to be a Hacker

Best Tweet About Linux

Best Tweet About Metasploit

Best Tweet About Medical Devices

Best Tweet About The Cloud

Best Tweet About Cryptography

Best Tweet About Two-Factor Authentication

Best Tweet About Silk Road

Best Tweet About "Named" Exploits

Best Tweet About Attribution (Tie)

Best Tweet Explaining the Sony Breach

Best "Fake" Tweet

Best "Get Off My Lawn!" Tweet

Best Twitter... um... –er

Last but not least we have the "award" for the person who posted the best overall tweets of the year.

And the winner is.... InfoSec Taylor Swift (@SwiftOnSecurity)! InfoSec Taylor Swift is an unusual account. On one hand it's an obvious parody of a celebrity with a humorous slant towards information security. On the other hand she (he? they?) offers legitimately sound advice in 140 characters or less. The quality is such that news outlets have quoted the account and the new web site associated with it,, has the potential to become a solid resource for InfoSec fundamentals.

If you follow one new account this year it should be @SwiftOnSecurity. Below are a few gems from 2014:

Serious Tweets:

Funny Tweets:

This concludes the 2014 Tweet Awards. Please feel free to share your favorite tweets in the comments below. I wish you and yours a very Happy New Year!

Monday, December 15, 2014

Don't Click

As I'm sure the readers of this blog will know, way back on
June 20, 2011, the ICANN board voted to end restrictions on TLDs. This paved the way to expand the number of TLDs (22 at the time) to include over 400 gTLDs (Generic Top Level Domain).  Most of the new gTLDs were sponsored by companies and organizations willing to pay the $185,000 application fee.  In November 2013, these new domains began rolling out a few per month.

Many domain registrars are offering free pre-registration for the new gTLDs.  Like a good little geek I immediately skimmed through all the options and reserved a couple dozen domains.  There are some real gems in my list but I'll keep them to myself until their respective gTLDs go live.  I don't want to lose them in the land rush :)

So what's my point?  Basically I wanted to share my first gTLD and solicit ideas for its use.  Without further adieu I present:

What do you think?  What would you do with this domain?  Please leave your suggestions in the comments below or hit me up on twitter (you'll find me as @ITSecurity).  Thanks in advance.

Tuesday, September 9, 2014

Book Review: The Basics of IT Audit

Full Disclosure: I was the Technical Editor for this book. While some may say this makes my opinion biased, I believe this has made me more critical of the finished work.

The Basics of IT Audit: Purposes, Processes, and Practical Information by Stephen Gantz is the latest in "The Basics of" series by Syngress.

It is intended to "provide you with a thorough, yet concise overview of IT auditing. Packed with specific examples, this book gives insight into the auditing process and explains regulations and standards such as the ISO-27000, series program, CoBIT, ITIL, Sarbanes-Oxley, and HIPPA."

At 270 pages it is one of the longer books in this series and like the others, is intended to provide a high level overview of the subject matter. It begins by explaining the reasoning behind auditing and quickly moves into the different roles and responsibilities that one can expect during an audit engagement. The book dedicates separate chapters for internal and external audit as well a chapter explaining the different types of audits.

It goes on to spend several chapters breaking down the components and life cycle of an audit before delving into the different methodologies and frameworks available (NIST, ISO/IEC, COBIT, etc.). The book ends by providing an overview of Audit-Related Organizations, Standards, and Certifications.

All-in-all The Basics of IT Audit is a good primer for anyone just getting started in IT Audit or students pursuing a degree in IT Assurance. The book also does a great job demystifying the audit process and is recommended for anyone in IT who may be involved in their company's audit process.

Get this book at: Amazon | Syngress

Friday, June 13, 2014

Education & InfoSec

Yesterday the question was asked, "do you see a bump in pay-grade commensurate with the cost of a Masters?"  This got me thinking. There are numerous blog posts on how to break into security but I've rarely seen a blog post on education, especially given how often this question is asked. In this day and age there are numerous options available. Below are my experiences with the various forms of education and recommendations for someone new to the InfoSec industry.

"Traditional" Education

To begin, I did go to college. Back in the 90’s there was no such thing as an Information Security degree. Even IT degrees were still somewhat scarce. The best option available was a Computer Science degree that more or less taught programming fundamentals. At the time, classes were simplistic. One actually began with the professor holding up a 3.5" floppy saying, "This is a floppy disk". I often found I could complete the lab assignment and homework before class ended.

Is a degree needed to "make it" in IT or InfoSec?  In a word, no. Some of the smartest, most technically competent people I know have no formal education. Nevertheless, I would recommend getting a degree. It can be difficult to make it past keyword filters and HR gatekeepers without this check box. Ideally, when you graduate you'll also walk away with soft skills that many IT/InfoSec professionals are lacking.


After a few years bouncing around different colleges I entered into an internship. I had a good mentor and learned more in those 10 weeks than in all my classes combined. At the end of the internship I was offered a full time position. Not wanting to give up on my education I transferred to the University of Phoenix and completed my last year online.

Do it. Find an internship or take advantage of a mentorship program. There is no substitute for experience and you will never learn more than when you get your hands dirty. These are the times when you have more leeway to make mistakes and if you're not making mistakes you're not trying hard enough (or are not being challenged, in which case get a new mentor).

"Advanced" Degree

After completing my undergraduate degree I decided that if I was going to pursue an advanced degree I shouldn't wait. I was already in the student mindset and it would be easier to stay in "college mode" rather than return later in my career. I took a year off, then after an additional two years of education, I walked away with a shiny new Master's degree.

I'm often asked if I see value in my degree. Honestly, I'm not sure I do. Outside of positions with a college or university (or in executive management) I have not seen many InfoSec jobs that require an advanced degree. I also have not seen higher wages as a result of my Master's. In fact, I've been told I was passed over for a position because the company felt my education overqualified me and they believed I would not stick around.

I've said publicly in the past that an advanced degree may have been a mistake on my part. Education is expensive and I can't say there is an adequate ROI. Even with employer contributions, I will be making student loan payments for many more years.

When deciding, take a good hard look at what area of InfoSec you want to work in and which industry. Look at job listings and talk to people in those positions to determine if an advanced degree is worth it. Also, take your time looking into a degree program. There are a lot more options than when I was in college. Find a curriculum where you will actually learn something and not just walk away with an expensive piece of paper.

Final thought: I still consider my career to be relatively young (13 years). I may find that my degree has greater value later in life.


Certifications are another highly debated topic in the InfoSec industry. Over the years I've accumulated a handful of them at my employers' behest (CISA, CISSP & Six Sigma Green Belt). Realistically, I probably wouldn't have picked these up on my own dime but they do have some value.

Not all certifications are created equal. Some have far more value than others. If you want to learn something and earn a certification that is respected, look at SANS training and certifications. If you are interested in a career in pentesting look at the OSCP and the other Offensive Security certifications.

The value of the CISSP is hotly contested. While many people believe it has no real value, this sentiment has started to sway. I attribute this to the election of Wim Remes (@wimremes), Dave Lewis (@gattaca) and Jennifer Minella (@jjx) to the (ISC)2 Board of Directors. These individuals have taken up the challenge of making the CISSP relevant and not just a check box to get passed HR.


The value of InfoSec and Hacker conferences is immeasurable. Not only is there the opportunity to learn, but the networking possibilities are endless. The InfoSec community is one big family and you will likely make many friends and possibly meet future coworkers.  I make it a point to attend 3-5 a year.

Conferences are a must. Don't worry about expensive events like RSA or BlackHat unless you can get in with a student or press pass. Even if your company is willing to pay for it, you'll likely have a limited education budget that can be stretched further at other events. Many quality conferences only cost $150-$200. BSides events are held all over the world and range from FREE-$20.

Training at conferences is also a bargain. You can usually get 2-3 days of quality training for $1000 (which includes entrance to the conference).

If you can't afford travel, check out for conferences near you. If you can't afford the cost of registration, consider volunteering. The organizers can always use help and it's a great way to network. You'll have plenty of time to see talks as well.

Independent Study

People who are successful in this field are people who enjoy what they do and spend a significant amount of free time learning. In addition to my day job I spend 15-20 hours per week absorbing new material.

Find an RSS reader you like (some suggestions here) and subscribe to InfoSec blogs. Listen to podcasts. Spend time on and YouTube (I highly recommend Adrian Crenshaw's channel). Join twitter and follow other security practitioners. Learn to code in Python or Ruby and open a GitHub account.

Build a lab. You'll learn by doing. Download tools, spin up VMs (check out Kali and Metasploitable) and spend time familiarizing yourself with them.

Lastly, explore. There's much more information out there than you will ever be able to learn.

Monday, February 10, 2014

Review: Alyssa Milano's "Hacktivist"

When news hit that Archaia Entertainment would be releasing a title called "Hacktivist" the security community let out a collective groan.  The skepticism was not abated when Alyssa Milano was attributed to the project.  How can the Hollywood actress best known for her roles on the television series' "Who's the Boss?", "Melrose Place" and "Charmed" write a comic about a subject that is regularly misrepresented in the media?

In truth Ms. Milano is more than just an actress and author.  She is the Founding Ambassador for the Global Network for Neglected Tropical Diseases and a UNICEF Goodwill Ambassador for the United States.  Her trips to India, Kosovo, and Angola in support of these missions have at least given her some exposure to the regions portrayed in this story.  Ms. Milano had this to say about her inspiration:
"I’m very involved with global activism and philanthropy. I like the idea of everyday people doing good.  My inspiration for Hacktivist is actually Jack Dorsey, the creator of Twitter and Square. I picture him leaving the office at night and going home, where he locks himself in his room and starts hacking to change the world. 
"I felt Hacktivist was a strong story that I really wanted to tell visually.  Doing a graphic novel allowed me to dream big and it gave me the freedom to create without boundaries."
I can't say that I see Mr. Dorsey in the same light. There's a big difference in hacking to be innovative versus attacking companies and governments.

While the comic seems to be Ms. Milano's concept she is only listed as the creator.  The story is credited to Jackson Lanzing and Collin Kelly.  Both of these authors are relatively unknown so it remains to be seen how they will influence the narrative.


The publisher describes Hacktivist as:
"a fast-paced cyber-thriller about friendship and freedom in a time of war. The story follows Ed Hiccox and Nate Graft, the young founders of the world’s most innovative social media company who moonlight secretly as one of the most notorious black-hat hacker teams on the planet. When the U.S. government discovers their operation, they must face the real world beyond the code and choose between loyalty and what they believe to be is right."
Personality wise, the characters read as a blend of Mark Zuckerberg and Anonymous, but with personalities at either end of the spectrum.  Ed is a suit-wearing savant who would rather spend his free time memorizing traffic patterns.  Nate is a jeans-and-hoody-wearing non-conformist who would rather spend his evenings throwing a party that, "makes Gatsby look like a bounce house."

"Hacktivist" is a four issue mini-series so the story has yet to delve into the characters' motivations but the plot is interesting enough to warrant spending a couple of bucks on each issue.

Technical Merits

If you work in information security, don't read this comic expecting familiar jargon or novelty screenshots of nmap and Metasploit.  I doubt they consulted any experts when they wrote dialog such as, "and now they're plugging us into an onion router" and the verbal exchange depicted below:

click to enlarge
I tend not to get too worked up about trivial inaccuracies in entertainment media (movies, television, books, comics, etc.).  The purpose of these stories is to entertain the general public who doesn't particularly care if a scene is technically accurate.  No doubt doctors, lawyers and other professionals can point out issues with how their profession is portrayed.


Whether you are a comic book reader or not, the first issue of "Hacktivist" was entertaining.  Without giving anything away, the issue leaves the reader wanting to know what happens next.  "Hacktivist" is a fully contained story with a beginning, middle and end (not always the case with comics).  If you don't like cliff hangers, you can wait until all issues have been released or wait for the trade paperback to be published.

You can pick up a copy of "Hacktivist" at your local comic shop or a digital copy at

Controversy Around The Word "Hacktivist"

Back in July (2013) TechDirt obtained one of the 500 preview copies of Hacktivist that were distributed at San Diego ComiCon. They published an article where TechDirt noted that "HACKTIVIST™ is © and TM 2013 by Alyssa Milano."  As you can imagine this caused some stir in the Information Security community.  To her credit Alyssa Milano spoke up on Twitter and directed inquires to the publisher.  Archaia quickly followed up with a post clarifying their claim.  In it they state:
"Archaia and Ms. Milano do claim trademark and copyright protection, as appropriate, for the book, the title, the characters, and content included of The Hacktivist. However, no claim is made to other uses of the term ‘hacktivist.’ In accord with Ms. Milano’s wishes, we support the attention to the issues of philanthropy and activism."

Friday, February 7, 2014

Lessons Learned: Speaking at a Security Conferance

SOURCE Boston was kind enough to take a chance on me and on April 17, 2013 I gave my first talk at a security conference.  The video was finally released this week so I though it a good opportunity to run down my lessons learned.

I fully admit I was anxious and acknowledged I made quite a few mistakes.  I've given small presentations in the past however, I was always the subject matter expert in the room and felt confident I would be able to speak with authority and answer any questions.  This time I was speaking in front of my peers, many who are wiser and more experienced than I.  Looking back I recall seeing Jack Daniel, Andy Ellis, Josh Corman, Bob Rudis and Ed Skoudis (just to name a few).  The room was small, it could accommodate maybe 50 people and there were about 35 people in attendance.  I'm not sure if this made it easier or more difficult.  On one hand, if I embarrassed myself it would only be in front of a handful of people, however, the small venue made it more intimate.

Below are the lessons learned throughout the process.  Some of these I was able to incorporate before the talk, others I didn't think of until after the conference.

Submitting a Talk:  When you've chosen a topic make sure you give yourself plenty of time to submit. Deadlines can creep up on you.  Also, make sure you follow the instructions.  One thing I constantly hear from conference organizers is that they will reject quality talks if they do not follow the required formatting.

Start Working Right Away:  As soon as your talk is accepted start working on your presentation.  It may seem like you have plenty of time but life inevitably gets in the way.  Business trips, unexpected workload and family events can consume your time.  In my case, a death in the family monopolized a significant amount of time and drained a lot of my motivation to work on my talk.

Practice, Practice, Practice:  This one should be obvious.  Get your presentation done early so that you can rehearse your talk.  If you're anything like me you'll be surprised at how often you tweak the content.  Start with a written script, graduate to note cards and eventually your slide deck should be all you need to give your talk without thinking.

Slides:  Slides should not contain your entire talk.  These should be used to visually supplement your material. This is where you can add pictures, charts and graphs to illustrate your point.  Bullet points should be high level and the font should be large enough to read from the back of the room.  In most cases a talk should be able to stand on it's own so if there are technical difficulties you can continue without slides.

Dry Run:  If you have the opportunity, give a preview of your talk somewhere else.  Most cities have organizations that are looking for speakers (DefCon Groups, ISSA or ISACA chapters, local "city sec", etc.).  This is a great opportunity to practice your talk in front of a live audience and get honest feedback that you can incorporate later.  If you can't find a meeting, try to arrange a Skype call or Google Hangout where you can present in front of a small group.  You'll be surprised at how many people are willing to give you feedback.

Film Yourself:  No one is going to be as critical as you are to yourself.  Watching your own talk will help you work on your timing, get rid of the "ums" and "ahs" and get you to move about (this engages the audience and prevents you from looking stiff).  The dry run mentioned above is usually a great opportunity to film yourself.

Title:  It can be tempting to come up with a witty title for your talk.  This can draw attention and you may get a better turn out.  Just don't get too carried away.  You want people to still know what your talk is about.  In my case I went too far in the other direction.  I titled my talk, "Hacking Back Is A Bad Idea".  This gave away my opinion and may have dissuaded people from attending who did not share my view.  In retrospect, a more appropriate title may have been, "Hacking Back: Is It Right For You?"

Questions:  If you finish your talk early or plan to leave time at the end, you'll have the opportunity for questions.  In a large room you will want to repeat any questions asked.  You're the only one with a microphone and the rest of the audience may not hear the question.  In my case, the room was small enough and the discussion lively enough that I did not feel the need to interrupt to repeat comments and questions.  Unfortunately, this means they were not captured on the recording.

Hopefully you can learn from my mistakes.  I've embedded my video and slides below.

Please be gentle :)