I’m always looking for a better way to do things. I’ve spent hours, days, weeks, months trying to learn how to do things the most effective way possible. This often means deluding myself that there’s a way around hard work. That’s part of the impetus of this blog. It is here until I stop paying for the hosting. Staring at me. Every time I see it, I see the goal that I set for myself, *write more*. There’s not an easy way around this, there’s no shortcut key or macro, I have to do the work.

The hardest part is starting. When I’m trying to do something I’ve never done before, I can, and have, gotten lost. I’ve never written a blog, or done much writing since the 8th grade. So I look for shortcuts. For optimizations, for fun things that help me pretend that I am moving forward. But there aren’t any. The best advice about writing is, “write more”.

I had never started a new career, but I had had a few different jobs that could have become careers. Five years ago I rejected them and moved in a new direction. I was working in a job that I had gotten because I had “Photoshop Skills” on my resume, and my interviewers all were impressed with my communication. I told them in plain language what I had been doing, how I felt I had progressed with it, and what I could and could not do. The job combined a lot of project planning and implementation, and some prepress work. This is a fancy word that describes altering someone else’s artwork to get it to print the way they like or expect. For awhile this was fun.

When I found myself spending all my free time installing Ubuntu or FreeBSD, my reading was blogs or books about shell scripting or programming, then I felt it was time to move. I looked back at what held my attention consistently since high school. “Computers” was the simple answer, but I had a job with “computers”. On that front I couldn’t be happier. I spent every week day in a nice office, with free coffee, working on a brand new *Mac*. High School and College me couldn’t be happier. Future me was upset though. Future me didn’t want this. So I researched. I spent days and months searching the internet to learn where I could go with this. Network Engineer, Network Admin, HelpDesk, IT Support, SysAdmin, Operations Engineer, I applied to them all.

There were no shortcuts here. I knew I wanted to be an IT professional. I knew it would take years to get the understanding and experience I needed for this to be a career. I had success. Not immediately, and it took hard work. I had a job that I didn’t like, and it did not prepare me, so I studied, I practiced, I worked hard to get a job as “IT Support”. Matching the adage that titles mean nothing, this job was amazing. It was hard work every day. I had to learn EVERYTHING. Active Directory, IIS, SQL Server, Apache, DNS, cable routing, hardware installation, troubleshooting, user support, business continuity, everything was new. I had arrived. I was an IT professional, a sysadmin to be specific. And it was still not enough.

Now all my down time I was learning about Information Security. I had learned that this was a thing during my previous job search, and maintained a few contacts, attended a local user group. This taught me to have a new dream. Information security was sysadmin++. You have to know systems, networks, software, people, businesses, and all their interactions. This became my goal. This continues to be my goal. I’m at a different job now, with a title that has “application security” in it, but I know how little I know, and how quickly the space is changing.

Hard work continues. I am an information Security professional. I know what the security concerns are of our product. I work hard to keep learning. I work hard to get better. Sometimes I forget that effort is the most effective way to do something. Sometimes I keep hoping there’s a quick blog post I can read that will unlock the next door. There isn’t. There are distractions. There are obstacles. Sometimes they might help, but they’ll never move me forward the same way hard work will.

Ohio InfoSec Forum 2014

Somehow through twitter last year I found out there’s an active infosec group My home town, Dayton. Every year they have an anniversary con, one room, one track, and great speakers. Last year my favorite talk was about the Kali Linux project by Martin Bos. I hadn’t seen anyone discussing much other than the official website, so it was great to hear more details about the transition from Backtrack to Kali and the goals of the project.

Following the group in the last year, I found that this year’s anniversary fell on a weekend I was planning to head to Dayton with my family anyhow. Between a flexible wife and parents and a job that’s happy to let me set my own schedule, I got a Friday off for family time and a great Saturday of learning and networking. This years lineup had some familiar faces and some new ones, at least to me.

Dave Kennedy of TrustedSec opened with a great talk about awareness initiatives, things he’d seen succeed, things he had proven were failures, and ideas to move forward. Like all of his previous talks I’ve seen, Dave showed off his Java Applet attack in SET, which was honestly distracting to the greater message. Security program awareness and success is directly tied to discussions and interactions with the users, not the technical controls put in place. Dave explained how in one of his past positions he started outreach programs from the security and technical staff to the rest of the users. They explained media stories, answered questions, fixed personal laptops, basically taking any opportunity to help people understand what risks exist and how to make an intelligent decision about them.

Jerod Brennan is security consultant at Jacadis and deals with assessing customer’s environments, websites, and applications for security flaws. In this role he’s been analyzing mobile applications, both iOS and Android and found some alarming security flaws. He opened explaining that during penetration tests, mobile applications had not often been in scope, but as they started to grow in popularity, they’ve become a great target to help identify security problems in an organization. The problems identified in the past ranged from information disclosure to third parties having access to customer data.

Between stories of security problems he’s seen in the wild, Jerod discussed how to retrieve the application bundle and analyze the app itself. Both iOS and Android deploy apps in a zipped container, and inside that container are text files that can be scanned for some common words or phrases to begin to understand that the app is doing. Looking for things like “http://” or “password” often yield valuable information. Other dangerous security problems he has seen in the wild were things like including .dlls in an iOS app bundle. These were easily reversed to get the raw source code that provided valuable information. Problems like this often arise from using a cross platform development environment, lowest bidder contractors, or just laziness about security.

The most damning problem that Jerod had seen in the wild was where a client’s app had been developed by an outsourced developer. This developer had written a part of the application to contact his personal environment, in addition to the client’s, when it was connecting. Jerod didn’t disclose what information was being sent or retrieved, but he emphasized the security concern at play. If a malicious entity wanted to compromise the client’s app, they no longer have to deal directly with the client’s environment. This loophole in their mobile app has the potential to allow attackers to compromise the developer’s environment, and pivot from their into the client’s system.

The takeaway message was the same as many security talks, validate your assumptions, and verify your security. Even if you have a mobile app developed wholly in-house, it must be built with security in mind. Discussing, developing and testing security is the only way to be sure that you’re defending your organization and your customers, and the related data.

For a conference that only cost a $10 donation, breakfast and lunch were provided, which put everyone in the same room with no real goal, to allow for conversation. I met a couple gentlemen from a local managed services company who had never attended a security group before, they were getting great value of things they could bring back to build their business. At the same time I spent a few minutes talking to the organizers, who all worked from different companies ranging from Jacadis, to Rapid7, to an unnamed Department of Defense contractor(Dayton is in close proximity to Wright Patterson Air Force Base, which employs a large number of civilian contractors).

Deral Heiland is by day a penetration tester for Rapid7, and by night a guy that “googles how to code”. The combination of these two things is his application Praeda. Named for the Latin word for spoils or booty, Praeda is an application that will scan a network segment or IP for a device in its list. If it finds a matching device it will attempt to login with the vendor’s default credentials and extract/read/download any sensitive information.

Traditionally during network penetration tests, this sort of thing had been a last minute maneuver, just to show a few more basic vulnerabilities at the end of a test. When Deral first got his application working, he ran it and harvested enough information to get into much of the infrastructure that did not have default credentials, but did have sensitive information shared to less significant devices. What does this mean? That things like IP cameras, multi-function printers, or similar can hold and repeat a serious amount of potentially dangerous information. The result of this little demonstration was that now this is one of the first applications that Deral and his team run when they’re in a new environment.

Around this point, someone in the audience asked about how he discovered the exploits used in this tool. Deral gave half of a laugh and explained that there is no real exploit here. His tool is using intended functionality; that of a restricted portal or settings page. The problem is that it has published defaults that were never changed. Deral’s point, and one of the most damning problem with device or software security, is that of shipping with default credentials. In this particular case, Deral’s tool has found devices using default credentials that somehow have significant information about the company that owns them.

The talks ended with a great discussion of passwords by Tom Webster. His talk didn’t present anything particularly new, but reinforced a lot of debate that has been occurring lately, which are more secure, complex passwords, or long, simple passphrases? Security as a thing has generally encouraged complexity, but this fails the user in that it is very difficult for the human to remember, and technically easier for software to break.

At the end of the day(after the cake) I looked around and was shocked that the room was not full. Here was a day of great content, great discussion, and great networking for nearly free. I felt like this event was a great example of the giving nature of the InfoSec community, one that continues to surprise me every day. The organizers KNOW there are smart people around, they know these people have stories to tell that will help us all get better. So they’re doing what they can to make that accessible. Being on a Saturday means that people didn’t have to take off work. Being $10 means pretty much anyone can afford it. Being open to the public means anyone can come in. It’s pretty awesome to walk into a room of complete strangers on the other side of the state, and get welcomed like a regular. I hope I get another chance to attend or speak at an Ohio InfoSec Forum event.

A gesture

The reason Apple nearly ignored the Mac Mini is control. I nearly missed the revolution of gestures on the desktop because my only Mac was a Mini with a mouse. With the MacBooks, and in recent years, the iMacs, the default input has changed from a mouse to a trackpad. For a lot of people, Apple invented the mouse, how could they take it away? They took it away because they found a better experience. Watching the changes in Safari that were showcased in Monday’s keynote, it finally clicked home in my head.

From my point of view, gestures are the convergence point of iOS and Mac OS. Since the first release of the iPhone, bloggers and others have been wringing their hands about the iOS-ification of Mac OS. I have always thought they were missing something serious, “who will be writing and compiling Objective C on an iPad?”. I think that I, too, was missing a point. The convergence of these two things will be based on the design.

“Most people make the mistake of thinking design is what it looks like. People think it’s this veneer — that the designers are handed this box and told, ‘Make it look good!’ That’s not what we think design is. It’s not just what it looks like and feels like. Design is how it works.” –Steve Jobs

If design just gets out of the way, old metaphors like scroll wheels on mice just don’t cut it. Swipe, pinch, drag, grab gestures, they just make more sense. More and more of our computing experiences are moving to the browser. The easier the browser is to use, the better the experience you have with the computer, and past that, the Internet. I was shocked the first time I used two fingers to scroll on an Apple trackpad, or two fingers to right-click, or swipe to go forward or back. It just seemed right.

I’ve always loved Apple for the experience, the little things. With my Macs, I’ve always had a gigabit Ethernet ports, wifi, DVD players, and great trackpads. Not good, great. I cannot recall on missing a tap. Or failing to scroll, or losing the cursor because its taken a mind of its own. In other laptops, all these features seem to be optional or add-ons, if they are available at all.

PS to remember Part 1

Reading through this link Raphael Mudge talks about using rogue applications called notepad.exe to call back out, and then drops this tidbit(emphasis mine):

netstat -nab is a tool to help you discover rogue notepad.exe instances connecting to the internet

the output of which looks something like this:

I think to myself, this is a fantastic tool to use for troubleshooting, however, the default output is huge. I need to pare it down a bit. In Bash, I would just pipe to grep and be done. I’m very new at PowerShell, but it seems overly optimistic to thing it has grep.

After a bit of searching, no, there’s no grep. However, somewhere in the StackExchange network there was a more appropriate solution. “Out-String” and “Select-String”. Mixing all that together gave me the following:

netstat -nab | Out-String -Stream | Select-String -pattern “ESTABLISHED” -context 1

So what does all that mean, exactly?

netstat: “Displays protocol statistics and current TCP/IP network connections

    -n : shows addresses and ports as numerical infomation
    -a : all connections and ports
    -b : show executable involved

Out-String: Sends objects as strings (pipes the output of netstat as strings instead of data)

    -stream : sends each string individually rather than concatenating to a single string

Select-String: …You can use it like Grep in UNIX…

    -Pattern “” : inside the quotes goes what you’re looking to filter with
    -context # : this is the number of lines after your match that you want to return.

So, as a baby step into PowerShell and learning how it is not Bash, this was fun. More of these to come as I get better at it.

How I got here and where I’m going

Last night I was catching up with an old friend, and in refreshing the last 24-36 months I told him what I had been up to. In hearing his story, it is striking how close it is to my own. He has a decent job, wonderful wife, and if the construction ever finishes, a lovely home. He told me he doesn’t dislike his job, but it feels like he’s not getting there quick enough. I told him about my trials with work, and how I got to where I am now.

After college I had no idea what I wanted to do. I suffered from nearly terminal lack of motivation. I watched my friends move out to jobs and grad school, while I just stayed put, working in a Bob Evans. Eventually it was time to move, so I got a short-term job as a liquidation manager in New Jersey of all places. This was a few months of intense work, sales at that, which gave me enough money to move to Cleveland. Once I got to Cleveland, I still had no job, and very little professional motivation to follow my college degree career path. I did, however, have the motivation of rent. I did a little construction, building decks and installing siding for a few months, odds and ends contractor stuff as a laborer. This was nice through the summer, but wouldn’t work in the winter.

I applied and got hired at CompUSA, to work in the warehouse. This was a blessing, because if there’s anything I do not like, it is trying to sell things to people. I made a few friends in the “Tech Shop”, where customers could bring their computers for repair or upgrade. This started to teach me both how much I already knew about troubleshooting and how much fun it would be to do that as a job. I started to see how being “into computers” could result in a paycheck. After about a year there, a friend said I should send my resume to his company, he would recommend me and they were a great place to work. I did, and was interviewed to do QA for their internal and external websites. The interview went great, but apparently shortly following it the manager who I interviewed with left that company. My application was left hanging as one of his open items, and it took me a few months of following up to get a second interview. This interview was even better than the first. I talked with a lead developer and the VP who was running the IT department temporarily. I was offered a job with no real description or title, but they said with my graphics experience I would be inbetween their IT department and digital print shop, not QA. I gladly accepted, this was my first full-time, for real job, with benefits, perks, salary, everything.

I was in that role for about 3 years. Flux in the company bounced me around to 3 or 4 managers, a few different desks, and many, many projects. I learned a great deal about digital pre-press work, and how to configure the web and print graphics for their custom print-on-demand solution. The biggest thing I learned there was that I had no desire to pursue this any further, and that it was worth a gamble to get out of the print/graphics career field. After talking it over with my wife, we agreed that now was the time to gamble. I had experience enough to get another prepress job, but no interest in it.

Finding a low-level IT job with no experience or certifications is pretty difficult. I applied to anything IT related that said “junior” or “entry-level”, with nearly no success. One company, an information security consultant firm, replied to my application with “you’re the second or third person with graphic design experience we’ve had apply, what makes you interested in this?” So I started a dialog with this person, who I later found out is the owner/lead consultant, about how unsatisfied I was with graphics and print, and my ever increasing interest in computers, networks, software, etc. We setup an interview and I went. After a little smalltalk, they got down to it and explained what they were expecting from the position, then provided examples of the work environment and the tasks that would be assigned. During this I only had the faintest notion of what they were talking about, and said so. I thanked them for their time, but told them I was woefully under-equipped for the position, no matter how interested I was. They respected this and gave me a few pointers to build up the skills and knowledge to get to that level. One of these was attending the local infosec group, NEOISF.

I’ve been attending meetings ever since. I’d like to say i’ve been every month, but life gets in the way sometimes. The first few meetings I attended I felt like the speakers were using a different language. I typically got lost in the talks right after the “Hello, my name is…”. Taking notes, reading blogs and tech articles discussed in the talks, trying out some of the things demoed, they’ve all slowly built up my knowledge and skills.

I had one other interview that went well, and resulted in a job offer as a “systems operator”. I optimistically thought this would be a path to a real systems administrator position. Sadly, this was not the case. The job amounted to a little bit of software and website QA, running a few reports, and monitoring the monitoring system so we could alert people if something broke. After about a week of this, I started looking for jobs again. Over the course of the next 18 months I tried to build myself up professionally. I got the A+ and Network+ to actually add IT things to my resume. Finally my constant applications paid off. I had two interviews that went great, one at a colocation facility, and another at the company I had done the graphics work. Both companies had a great offer. The colo said they support linux & windows customers of every different stripe, and that I would get a ton of hands on time with server administration, but it would be 3rd shift only for at least the first year. The other company offered me a spot on the IT admin team. They were expecting an acquisition to be completed soon, which would amplify the day to day work, and would be an excellent time to start my IT career. Between the normal schedule offered and my experience working for the company, I took the safe bet and went back.

The next 18 months were fantastic. I worked on a team of people who gave me difficult, challenging projects almost every day. They were great to work with and I added an dozen lines to my resume, things like .NET website setup and migration, QA/Dev/Production environment configuration and maintenance, desktop support(Mac OS and Windows), SQL Server maintenance, version control migration, and much more. I didn’t know it at the time, but here’s where I became a sysadmin, the title I had been reaching for since I discovered it existed. Other events forced me to leave that job, unrelated to the team or the work. It was a sad day, and I still miss working with a team where everyone is challenged together. This environment taught me how to be self sufficient with new technologies and just how valuable another set of eyes at the crucial moment can be.

In my current role, I’m straddling the QA and sysadmin roles at an enterprise software company. I spend a good bit of time administering a large virtual machine farm, creating/configuring/upgrading machines, monitoring the environment, and maintaining access. Other tasks are replicating customer environments to repeat problems for development and QA, so that we can verify the software gets fixed. QA tasks are pretty limited compared to the rest of the QA department. My team is responsible for a very small set of features, mostly authentication and database related, because we have access to create complicated test environments at will. The big perk of this job is professional development. Previous employers of mine were either not at all interested in this, or only superficially. Now it’s a full time item, they will supply budget and educational materials to support my goals.

Now I’m looking at where I want to be. After working into the IT field and attending NEOISF meetings for roughly the same amount of time, it’s infosec, or Information Security. Bringing this up with my current manager met great enthusiasm, as building out an accountable security team is one of the company’s current goals. So now I have an environment to grow in, a company enthusiastically supporing my growth, and no experience. Oh, and I have the same workload as before, just with the added action item of “get better at security”. I’ve started attending conferences and asking for training, reading as much as I can get my hands on, and researching certifications that can be used as a milestone to show development. Outside of work I’ve built a test lab machine to house VMs for testing “red-team” attacks and analysis. Rather than watching TV or movies, I tend to spend my free time watching talks recorded at infosec conferences. And I started this blog to just add one more point of forcing myself to both do something new and keep track of it.

A group of like-minded individuals in the QA department have started meeting to try and figure out both what kinds of things our software has been vulnerable to in the past, and discussing what it would take to find these sorts of problems going forward. I think our biggest problem is no one has any real experience with security.

Does anyone know how to build a QA security program or team?

Walk Away

One of the rules of troubleshooting is never change more than one thing at a time. Given that I have effectively become a professional troubleshooter as a sysadmin, you’d think that I would be capable of remembering this, turns out, not so much.

After spending the better part of 3 months acquiring, configuring, reconfiguring, and using my test lab ESXi machine, I decided it needs one last bit of reconfiguring. Since the purpose of this is to have a platform for testing exploits, it is a good idea to create a DMZ network to wall the virtual machines off from the rest of my home LAN. “This should be easy”, I told myself. Add a NIC to the router(an old Dell running PFSense) and one to the ESXi host(a less old Dell), connect the two and tell PFSense what to do with traffic.

Turns out it really is just that easy. Once the link is active in PFSense, you just add the interface, rename from OPT1 to DMZ just to clean it up, and set the IP. Next, set a couple of simple firewall rules to allow any traffic from the DMZ interface to anywhere that is NOT the LAN interface, and any traffic from the internet to the DMZ interface. Then just turn on a DHCP server, and away you go.

Away I go, almost. The link is up and physically active, blinky lights and all, but no DHCP. “How did you check this?” Good question, glad you asked. In the configuration of the ESXi host, there’s a network adapters section. Looking at this, the LAN interface showed the IP range that I had configured on the LAN interface DHCP server. I *assumed* the same thing would happen when I connected the DMZ link. “Didn’t you try to verify another way?” Yes, and here’s where I totally dropped the ball. I tried rebooting the router and the ESXi host, nothing changed, I tried reconfiguring the ESXi connection, I tried reconfiguring the DMZ interface on the router, nothing changed. I added the interface to a vSwitch, connected only that vSwitch to a VM, and tried to force its NIC to update, even rebooted the VM. “Didn’t you say you were a sysadmin? You couldn’t figure out networking?” I was in a hurry, so I logged into a VM I had never used before, thinking it would be just as good as another. I was wrong.

In frustration, and knowing that I was already confused by something simple, I stopped, and came back the next night. For good measure, I rebooted both machines. I logged into a different VM, Backtrack. I’m comfortable with the OS at a commandline and GUI level. My assumption this time was, “it’s another day, before you change anything, just give it a shot”. TA-DA! Now it works. Connected immediately, could ping the gateway(DMZ interface) IP, could ping,, you name it. Internet connection live.

So I changed configuration and tested with something I didn’t fully understand. This time it didn’t really cost me anything, because getting that interface working was the goal of the night. But it did serve as a reminder not to get cocky. I’m fairly comfortable troubleshooting simple networking problems, provided I’m using tools I am comfortable with. I’m also thankful it only took me 24 hours to find the solution.

Be Cool

I’ve watched people fumble in presentations, I’ve watched them lose audiences because they let a hiccup break their concentration.

Giant caveat here; I’ve done the same. For a long time, every time I was put on the spot I would make the same mistakes. Get lost in something loosely, or entirely unrelated, have glitches, or lose your place. Lose the concentration needed to pick right up.

The best speakers are the ones who take this all in stride and adapt their ideas on the fly. The first time I remember watching this failure to fail happen was in high school. Watching a garage band play, one guitar player broke a string towards the end of a song. The other members broke into a long, winding interlude while the other dropped out, strung a new string, retuned his guitar and picked back up. They didn’t pause, they didn’t even look at each other. Was this something they rehearsed?! It doesn’t matter. To most of the audience, they probably didn’t even notice that the band was short a member for 5 minutes, the show just went on.

This is the message I am trying to internalize. If you don’t act like something is wrong, nothing is wrong. I’ve seen presenters lose sound or video, and just keep right on trucking. Projector fails? Slides are wrong, missing, out of order, typo’ed? Just keep swimming.  If you show your audience that those things are unimportant to your message, it’s easy to get past. I was reminded of this situation recently by reading

  1. Look cool.
  2. Never get lost.
  3. If you get lost, look cool.

Looking cool is important to get your audience to believe you. To believe that you know your material. Acting cool is how you keep your audience, how you hold them tight when you’re going to shit. Public speaking is rarely as life-threatening as Special Forces operations, but those three rules still apply for the same reasons. Look cool; know your talk, know your slides. Be prepared to go it without slides, without a mike. Never Get Lost; don’t let something unexpected get in your head. If you do get lost, Look Cool; practice what you’re doing so that you can fall back on what you’re talking about, or how you’re talking. If you build your talk, your presentation, your meeting this way, you will succeed, you will get your message across, you will hold their attention.

This weighs heavy on my mind this year as I’ve started speaking at conferences, something I had never before even considered doing. Previously I was scared stiff of anything remotely related to public speaking, even in small meetings. Now I am forcing myself to build a simple message and deliver it to the best of my ability. I have rehearsed my talk, I have learned how to look cool while I’m doing it. It’s not easy, but it is a new muscle that needs flexing. Communication is always the most important thing in any job, so I am forcing myself to get better at the parts I know I struggle with.

BSides Cleveland – Afterwords

07.13.2012 – Attended BSidesCLE

Now that I’m a grown-up and actually have held a job that requires growing, I’ve gone to off-site meetings or demo days. So far they’ve always been in nice hotels, provide breakfast, lunch and refreshments, but what they really are is a sales pitch. Some better disguised than others, but none the less, for a professional function, during the work week, held in a hotel, they were fancy sales pitches.

This was the first time I felt strongly enough to use paid time off to attend something. Turns out, my current job is fantastic, and when they found out it was a Security conference, told me to cancel the PTO request and just go on the clock. I don’t know much about what happens at “hacker” cons, but the atmosphere at BSides was incredible compared to other off-site functions for work. Every other one was a sales pitch.

BSides, and I hope others match this experience, is a place to hang out. There was a lovely breakfast with plenty of good food, big, open tables and areas to gather and converse, and a schedule events to learn things. Oh the things to learn; building an awareness program, lockpicking, anti-forensics, industry politics, and general pentesting. These presenters came from all walks, authors, executives, admins, pentesters, developers, they were as varied as the attendees. Before I got to the event I was feeling intimidated, I know I am a novice in all things InfoSec, but I want to learn, and that’s what the day was full of, learning. I was given an outpouring of information about how to do things, learn things, and think about things different. All the speakers drove the point home, “we can do this, why aren’t you?” about their dayjobs, about their hobbies, about their lives in and around the community. No one was unapproachable, no one was concerned when things had to change last minute; re-write a talk, have someone sub with one of their old talks, let’s just keep the show running. It was great to experience this and take away the feeling I can get to that point.

What did I really take away? The same thing this blog is built to enforce. Changing is hard work. Sometimes the hard part is plugging away with no end in sight until something just clicks, sometimes it’s learning 100 new skills at once and trying to balance. I learned that I’m always one click, one video, one blog post away from learning all the secrets, but really what it takes is DOING. More and more I know how to learn things; do them. Now I have a job that will PAY ME to go to things to learn. They will pay me to prove that I know things by getting certifications. They do this to keep me happy, but to also give me a path. They do not dictate that path, I am open to choose these topics, choose these certifications. I have to pay this back by following a path. Doing more than just watching something pass by and reading about it.

Post 1

So who am I?

Nobody, at least, not yet. I’m “from” the midwest, about average height/weight/build/etc. I’ve graduated from a school or two, then started to (slowly) learn about things. I’ve done art; ceramics, drawing, animation, sculpture, design, and probably a few other things. I’ve done hard work; restaurants, construction, yardwork, again, probably a few more I’m forgetting. I’ve been an “administrator”, a “coordinator”, an “analyst”, an “operator”. I don’t know how any of that really defines me. I like to read; blogs, books, manuals, instructions, stories, histories, accounts. If it’s words, I’ll probably read it, at least for a little while.

This is where it gets interesting, at least for me. In a recent blog post Shawn Blanc talks about his writing and gave the following bit of wisdom; “Reading about writing is not the same as writing”. My whole life I want to be a creator. I’ve spent years at this point reading things by writers about how to write and ignoring their #1 comment:

To be a writer, you have to write.

So I’m writing. I don’t know where it will lead, or how long I’ll be able to continue to do it, but I’m starting.

What are you writing about?

Probably everything I can think about for awhile. I need to find my voice. I know my opinions, but formating them in a logical fashion is not commonly my strong suit. So this will be all about the things I know; mostly Macs, a little about good design, and general tech; gadgets and computers. Probably, hopefully just as much about the
things I don’t know but want to; InfoSec, good design, moving forward with creating, doing things, rather than more reading.