Wednesday, June 7, 2017

Mentoring: On meeting your **Heroes**

Mentoring: On meeting your  **Heroes**

I put heroes in asterisks because none of us have paparazzi following us around. I regularly use Val Smith's quote about even the most popular infosec person is like being a famous bowler.  Except for rare exceptions, no one outside of our community knows who we are. I've broken into at least one company from every vertical and my neighbor just asks me to help configure his wifi.

This topic came up because the person I'm mentoring met "a famous infosec person" and the guy proceed to be a drunk dbag to him.  It ended up taking quite a bit of wind out of his sail to have someone he kinda looked up to bag on his current career state and talks he was working on.

When I first joined the army how I thought anyone with a "tower of power" (Expert Infantry Badge, Airborne, Air Assault) was an awesome, do no wrong, individual.  Shit, If someone has all this shit on their chest they must be badass right??!!
For more info on badges:

Well the Army does a great job of stacking the people you initially meet as being pretty decent individuals. I think most people think highly of their drill sergeants their entire life.  So the first few people I met that had these badges reaffirmed this belief.  Then I got out and met a few more and was completely let down at the quality of these people.  When I say let down, I mean defeated/totally bothered that these people didn't live up to the pedestal I had put them on. It REALLY bothered me.

What you learn is that in the military you get to wear a badge you earned at any point in your career your entire career.  So maybe as some point someone was awesome enough to earn a badge. This doesn't mean they are a great leader, still good at what the badge means they are good at or even a good person. It means at one point in time they met a criteria and earned a badge.

How does this relate to Infosec?

We are all humans and generally react poorly to any sort of fame.

A good chunk of us are introverts.

The "community" values exploits and clever hacks over being a good person or helping others.

We have people that 10 years later are still riding the vapor trails of some awesome shit they did but havent done anything else relevant since.  Some people have giant egos that only care about you if you are currently in the process of kissing their ass.  To be fair if people ARE kissing your ass its hard not get an ego but you have to work hard to check that shit at the door.

Remember we are famous bowlers?

What can you do?

Check your ego.

Stay Humble.

Help (mentor) others.

Always remember how you felt when that hero dissed you when you are someone else's hero.




Unknown said...

To your points, Doug Burks gave a great talk on Good vs Evil this past week at the SANS SOC Summit where he talked about his heroes, the legacy they created, and how they helped him. Then he challenged everyone to be that helping hand whether you are mentoring a person or not. It's about leaving a legacy behind, helping others grow in this field, and paying forward what others gave you.

Anonymous said...

I totally agree. After many years in IT and infosec, I've learned that egomaniacs are rampant. Takes a lot more strength & courage to be humble than most people think.

The industry doesn't need more rockstars, or wanna-be rockstars; we need teachers and mentors to educate infosec newbies, and the less technical people. That's the long-term fix for our security woes.

Strat said...

You make some important points here. To be fair, one thing I've noticed over the past 'n' decades in this business is that you have to be careful with your definition of "community." There are often a bunch of people swimming in discrete little ponds, with very little appreciation of their industry as a whole.

I don't want to single out the redteam/pentest consulting crowd as particularly problematic in this regard, but it is what it is. I think as with so many other things subject to the availability heuristic (it's a bias), the loudest voices are often perceived as the most significant. The hilarious thing about that is that this is a space where some of the most phenomenal work is done by the quietest people.

It has been weird to watch. I co-founded a pentesting and incident response company in the 1990s and sold it in 1999. We pretty much wrote our own tools on-site in order to get the job done, and then were happy on the next gig that we then had it in the toolbag. No, there was no Metasploit. Yes, we got the job done.

It is a fact of life that one has to promote oneself in order to foster one's livelihood, so self-promotion isn't automatically a terrible thing. What borders on the unforgivable are people who practice posturing as a leader, but don't even have a solid grounding in their own technology. Hang out with academic researchers, and while you'll find your share of people full of themselves, you'll also discover the wonderful phenomenon of multi-Ph.Ds who embody humility with every breath. I think there's a level of learning where one realizes that the set of things-to-be-learned will always eclipse the set of things-one-knows.

It is easy to spot the people who are "trying too hard." They're "application security experts" who have never earned a living by having to write and ship commercial software, or "network security experts" who have never read an RFC document. It also includes the "researchers" who have never read a paper in a journal. They are more deserving of our pity than our anger.

I would be careful about tarring the whole "community" with that brush though. I've made friends in this business who have always made a habit of trying to help each other out, be it personally or professionally.

There are also many, many people working in quiet ways (sometimes at layer 8 or 9, if you've seen that t-shirt), to make the world safer for everyone. Some may never be at liberty to talk about what they do, and some can't because they're only effective if they're discreet. They're out there, and we're all better for it.

Anonymous said...

The difference between a hero and someone who's conscience has sway is doing the right thing every day. In some ways its easier to do the right thing in the face of talking guns: mistakes don't carry long term consequences. In daily life, the stakes and consequences change, immediacy falls away, and all the flaws that make us human come to bear. One thing I'd ask the up and coming researcher is this - does a man down on his luck constitute any drawback to the original act which made him an aspirational target?