Silicon Shecky

Infosec Practitioner

Connect

Do well, not be “popular”

By Leave a Comment

I’ve had some things on my mind so this will turn into a rant or stream of consciousness. If you feel called out on this post, it happens. Hopefully this will help some others out there.

See, I’ve spent the last 15 years, as I moved from a Network Engineer to a Security Engineer, trying to fit in with the CyberSecurity/InfoSec crowd. I am proud to be part of the community, proud to be one of the organizers of the Burbsec meetups in the Chicago area. I love welcoming new people into the community, but I am not a leader. I don’t and will never be looked at as a thought leader, a well known speaker, or anything else other than Shecky.

It is not that my thoughts and ideas are bad, I just am not part of the popular big names. Yes I occasionally get a speaking slot at a conference here or there, and I love doing it, but I am 50 years old with a 5 year old son who I adore, so I don’t do a lot of travelling to distant conferences. I mostly stay within a 4-6 hour drive from the Chicago area. When I was younger I didn’t have the money to do travel, and the whole traveling consultant thing and I had problems as a local network/server/desktop person before I moved into security. Add on that my writing skills are the weakest part of me, and you have a recipe for being just another face in the crowd, which seems to surprise some people because I talk with the more well known people in this field so it is assumed that I am one of them.

I’m not though. I am your everyday person(pronouns for those that ask are he/him). I try to keep my main twitter posts security related, unlike many who use it for expressing their political/social thoughts. Note that I said my main posts as I will reply to others political and social issues posts. Also realize that these other people get followers strictly for the non-security posts that these people make. There is nothing wrong with that at all and I commend them for trying to make the world a better place by pointing out what they see wrong with it.

I’m not well know as I have never written a piece of software that people use, written some huge idea that people have run with or started/founded a company. I have not run a conference, although I did offer to help build one but was told I wasn’t needed for that level. Instead I just volunteer for it, and a few others. I enjoy documenting the conferences by officially taking pictures for them(I was a professional photographer for a while back in the 90’s). I enjoy helping others out. I see cooperation as a way to improve, well, everything including security.

I love public speaking, but as I said my writing skills and lack of any big revelations tend to get my talks turned down at the CFP level, and I do let others look at and help me edit my CFPs before I put them in. I know my weaknesses. Those rejections hurt and I take them hard and sometimes personal even though they are not. That comes from rejections and being looked down on throughout my life going back to childhood. Like many I was picked on growing up. Adults shunned my thoughts, and people my own age, I didn’t fit in well with most of them.

I feel bad that new people to our community get picked on, and trolled. It is not the right way to do things. You should be treated with respect no matter you gender(or lack of gender), skin tone, religion, age, sexual orientation, or anything else. Yes I do speak this as a Jewish White Male, so from a position of privilege. I do what I can to use that privilege to help others.

Yet, here I am, still going, still trying to post stuff that will help people, and I will keep doing it not matter how often I seem to get the urge to just give up. I fought hard to get where I am. When I got back into computers in ’97 I looked to the world of security. I worked as a break/fix guy, on the helpdesk, as a system admin, a network admin, a network engineer. I had times where I was out of work due to contracts or being screwed over. When I finally got my first official security gig in 2015, I felt it was just the beginning. I dreamed of becoming a big name, or at least speaking at conferences and eventually keynoting them. Instead, I’m just another cog in the engine who is respected enough to chat with and know some of the big names. , and you know what, that is fine. There are more people like myself out there, and we are the ones who have to take the big thoughts and make them into reality.

We just need to be treated with kindness and respect, especially when breaking in. It is tough enough to get that first security job, especially the way that I went about doing it with no degree. The gatekeepers are tough, but persistence works and eventually will pay off. So be part of the community. Talk to others, no matter how big a name they are. Ignore the trolls, cause even if they are right about something, they will say it in a condescending way. Finally help pull up others. With how the world is today, we can each use more people in our corner.

Gatekeeping and Treatment of Others

By Leave a Comment

There is an issue in the world that we see crop up in the Information Security/Cyber Security field, gatekeeping. We tend to equate it with making it more difficult to get a job, harder for people to break into the industry, and of course expecting people to just know things. The world of IT/IS we pick on end users for not knowing behind their backs pretty regularly. How do we know that they are not trying to learn though? How does it make someone who is just learning feel when you treat them like an idiot?

I’m not going to lie here, I’ve been guilty of picking on people at times. We all are guilty, especially when one claims to be an expert when they are not. There is also a number of people who are on the autism spectrum or have other issues that make them awkward and just want to fit in, or overly excited when learning something and it works. This has happened to me in the IT/IS field, but most recently outside of it, and let me share this outside instance since maybe it will make things a bit more relatable and be a better moment to learn from for all of us.

One of my hobbies is trains, big and small. I got back into this hobby thanks to my son, who started loving trains when he wasn’t even a year old. It prompted me to get out my old HO scale trains and get them running again, along with buying some new ones. This isn’t my first time being involved in the world of model railroading/toy trains, but the last time I was into it, I was a kid. I drifted away from it when my frailly moved to a bigger house right before 7th grade, and we stopped setting up the trains during the winter because of space required for them. Up until then we had set up my trains and my grandfather’s pre-WWII standard gauge sets for the winter time.

Getting back to present day, when my father passed away he was getting ready to get my grandfather’s (mother’s side) trains up and running again. As my son hit his 2nd birthday I found out about local train shows, and found some people there who took a look at these train engines and said they were in pretty good shape and I should be able to run them with a little work. They gave me a list of things to check and do and I went at it. I got those up and running in the spring of 2019, 4 months before my mother passed away. She was happy that she got to see them run again.

During this process I became a huge fan of a specific standard gauge train set that the Lionel corporation made called The Blue Comet. I would check online from time to time, and always see it well out of my price range. Recently, I was able to purchase this train set through an auction at a reasonable price for me. The problem with the auction houses is they grade on cosmetics and do not guarantee the engines are in working order. This engine sort of worked, and had a partially busted wheel on it. I did what seemed like, and over has been a good idea which is to post in a Facebook group about Tinplate Trains that I am a part of, since I could not find any actual instructions for repairing/rehabbing the motor. A few pictures and some threads, and I had pulled the motor apart, cleaned it up, fixed the issues which were causing it to only partially work, and started to put it back together. I thought I had done a good job, and was waiting on some parts that I had ordered which I need before putting the motor back into the engine shell, so I took a video of the motor running with the wheels on it and posted it to the group (I also posted the video to my twitter timeline since I put some of my train stuff there).

The response in the Facebook group were going along great from Good Job to issues some saw with the wheels wobbling too much and a squealing sound. Most of the comments included advice on how to go about correcting these issues. Then Today (5/21/21) I got this comment:

Now to be fair, I was proud and when I made the video I thought it was running beautifully. I did use that terminology. On the original post that this comment was made I had thanked the group that had been giving me advice on fixing the motor. Never in the video did I claim to be an expert. In other comments which had mentioned issues they saw I thanked them for seeing the problems and asked for advice. One person even has been messaging with me, wanting to help me learn. Even with the advice in the later half, seeing this comment first thing in the morning today made my heart sink a bit, but also got me angry, so I responded to this person with:

The only other comments to this critic was calling him out for gatekeeping from one of the people who has been giving me advice as I have been going along. The thought of just giving up on doing this had crossed my mind when I initially read the comment ripping on me, but I decided more people have been encouraging, and I want to be able to teach my son, so I am not going to quit.

The moral of the story is that one small snarky comment without understanding can be a huge gatekeeping moment in any field. Sharing information, and helping to teach each other, no matter the level we are, is the way to a more secure future. There is a time and place for snark/teasing especially once you know someone, but realize what damage it can do to someone’s aspirations and mental health if done poorly or at the wrong time.

The one about banking passwords…

By Leave a Comment

The world of cybersecurity understands the need for secure passwords. While passwords with special characters, numbers and both capital and lower case letters help make them more secure, length is a factor. These reasons, alongside with using unique passwords are why we recommend password managers. It has been a long running feud with sites to get them to allow some of these factors, especially Banking sites. The most common things they have issues with is long passwords and special characters, and some of this stems from legacy systems that might still be in production. Mainframes that do the actual work tend to have less secure requirements (I have seen this in many companies that have mainframe systems for specific things).

There is now another issue into the mix, and that is financial software. I recently was trying out Quicken, which I had used years before, to see if I could recommend it to someone I know after they had asked about it. My prior experiences with it had been positive, and I was glad to see that things looked pretty much the same, but updated and a bit easier to use. That was until I went to enter one financial institutions password to get transactions. Quicken itself has decided that you should use only up to a 12 character password (I use much longer ones), and will not work with longer passwords. Not only do they do this, but the error message puts the blame on the financial institutions, which is an outright lie.

When I talked to support they apologized and said there is nothing that can be done at this time to correct the issue. That is their choice, and I will tell the person who asked me about it, not to use it for security reasons at this time. What worries me is the every day person who will believe the lies coming from Quicken on this. The amount of breaches, and security of online accounts, especially financial, is awful, and many banking sites still have issues with MFA (and those that do have MFA force SMS and do not allow for authenticators or Hardware dongles). Having a third party dictate less secure passwords is wrong for overall security.

We have a difficult enough time with security, we do not need companies forcing us to be less secure than we need to be.