This morning I saw this article: https://room362.com/post/2016/snagging-creds-from-locked-machines/ and it really blew my mind. The simple, but incredibly effective method is tremendous. I know, physical access means you own everything one way or another, but this example is elegant in its simplicity.
This simple article has been running around my head all day, and have struggled to figure out why. A little background, I’ve been following Rob, or Mubix as he’s also known, for a couple years now. When I first heard of him it was a talk he gave about how to create a career for yourself in infosec. As I was desperately looking to do that, I must have watched his talk a dozen times. And I followed his advice. I started creating a brand for myself, I started talking to more people. I’ve continued to follow Rob, learning by picking up the scraps he drops around him with his career. He is a very busy man. He has a day job, a part time job, and a family. I’ve met him once in passing at Derbycon and he’s a great guy, quiet, humble, but very open. He’s one of the many people that have inspired me to take my career seriously.
I fell backwards into infosec like a lot of folks have, by generally being interested in tech, getting some jobs I didn’t like, some I did, and slowly adding security into it. As I have recently come into more of a mentor role than a mentee, reading Rob’s first line in that article is what sent my mind spinning all day.
Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true)
One thing I’ve found to be true among almost every competent tech person is discomfort with their abilities. They’re not scared really, just unwilling to boldly lay claim to things without research, testing, and if possible, independent third party verification. I have suffered from this my whole life, and it somehow makes me more comfortable with peoples skills if they ask you to verify things rather than trust them.
The important thing about this feeling is, that’s what makes the industry not just great, but incredible. I have found myself doing the same things I was shocked to find people I looked up to doing. Giving back. Replying to questions from strangers with annotated lists of resources and interpretations. I’m sure at some level there is community to many career paths, but in security, community is the only way to succeed. Rob inspires me every day because he may not be right, or new, or original, but he’s working hard and putting it out there for other people to learn from. This takes all forms. Conversations, blogs, podcasts, conference talks, sample code, tutorial videos, vulnerable vms, encouragement. It’s not hard to find someone doing something inspiring, or someone that can easily be inspired. Infosec has taught me community is not the gathering of people. I spent a great deal of my life thinking that simply a group of like minded people creates a community. This is not the case. Community is the action of building each other up so that the whole is greater than the parts.