Reader

A colleague of mine I worked with extensively over the past months told me that she attended a security conference this week, but left early. I asked why.

There was nothing there that was relevant to me.

This was not a new experience to me and I congratulated her that she passed a significant milestone. When you focus on cloud security, this is not unusual. The last few years I have found that the most relevant conferences were DevOps and cloud-native conferences, where security was only an aspect – be it an important one – of the conference scope or cloud security-specific gatherings, rather than the more typical cybersecurity conferences, where cloud is often absent. This goes for the big name conferences as well as smaller events.

Stuck in What We Know

I recently spoke at a two-day closed audience cybersecurity conference. It was filled with fascinating talks, but the only cloud security session was mine. This low representation is not unique to smaller events, but also the case for the big-name conferences like RSA, Defcon and Blackhat, CCC conferences, and others.

Malware, ransomware, phishing, appsec, data privacy, memory corruptions, data privacy, OSS-, software supply chain- and network security are all important topics, and conferences want to cater to a broad audience. But infosec/cybersecurity conferences seem to be stuck in familiar territory while around us the world is in the middle of a massive cloud transformation.

Cloud Security is Elsewhere

I yearly get my talk proposals rejected by the RSA selection committee – it's OK, the feeling is mutual ;) – but colleagues of mine and myself have presented repeatedly on cloud security at fwd:cloudsec, KubeCon, ChefConf, and elsewhere. The first is a cloud security specific conference, the other two are cloud-native and DevOps conferences where security is not the only topic.

Cloud security seems to be largely debated via blogs, podcasts and social media, and aside from a few exceptions, a “guest” at others' events. It reminds me a bit of drum & bass in dance music, largely happening via (initially) pirate radio, the internet, a small side room at multi-stage party, and the occasional club with a DnB-only night on a Monday or Tuesday.

Developer Autonomy and the Irrelevance of a Department of No

In a cloud landscape, the traditional gatekeepers are gone. Rather than network security teams or infrastructure provisioning teams providing some level of central control, developer teams through everything-as-code deploy entire landscapes independently from such gatekeepers, and have far greater autonomy. They may choose cloud-native platforms that your traditional security tooling doesn't know what to do with. Modern CI/CD pipelines with frequent deployments require security teams to respond far more quickly than they are used to, and pose whole new challenges they haven't seen before.

A Department of No that is not prepared for the threats and risks of the cloud as the organization around them rushes into cloud transformation is at risk to become irrelevant and likely to be ignored.

Cloud Security Must Have a Place in the Mainstream

Security teams are often slow to respond to our employers racing into the cloud . That goes for security standards as well, with ISO and NIST only slowly becoming aware of the cloud. Security certifications lag as well. Since cloud security is underrepresented in the usual cybersecurity information channels, it is not easily accessible.

Cloud providers and cloud security vendors have done good work, but how does someone new to the topic navigate this ever evolving market and know who to trust? Even if you select good vendors, how do you operationalize their solutions into your processes? Where do you learn from prior experience?

How would you know that the best cloud security practitioners network is on LinkedIn? How would you get to know the key contributors to follow to grow your network, and get into the stream of blogs, podcasts and events where cloud security approaches and practices are shared, based on actual experience? Even that is only, as far as I know.

It is high time that cloud security finds a place in the infosec mainstream, to establish more structured and stable fora to share practices broadly – to those coming into the cloud security community new – and deeply – for those already there.

In an ordinary forest sat an unremarkable pond brimming with countless identical tadpoles.

Mottle did not like blending in. “Someday, I’m going to stand out,” she said to no one in particular.

“Why? Do you want to get eaten?” exclaimed Spish… or was it Bloit?

Wub swam up, “Mottle wants to ‘stand out?’ Good luck with that. I’ll be hiding in the mud.”

As their tails shrank and their legs grew, Mottle still secretly hoped to be different, unique.

They became frogs, brown and green with black spots. Perfect for blending in and staying safe.

All except for Mottle.

Mottle was purple. Not just the dark purple of deep water, or even the soft purple of an iris, but a mighty, iridescent purple.

“Stay away from Mottle!”

“I bet hawks can see her from the air.”

“She’s like a great big beacon for predators.”

Not welcome in the water, Mottle spent most of her time climbing in the weeds and singing, her bright skin blazing amongst the greenery.

Her song was entrancing, and even though the other frogs enjoyed listening, they would not accept her. Bloit yelled, “I hope you get eaten!” before diving back into the pond, brown swirls following him into the murk below.

Mottle sighed and kept singing. She chirped and barked and croaked and whistled and whined weaving music like no frog before her.

Every cottonmouth or raccoon that saw her couldn’t bring themselves to eat anything with such a talent for song.

Still, no one was happy. Spish complained, “Thanks to Mottle, more of us are getting eaten just because everybody comes to hear her singing.” Wub added, “If I weren’t so good at burying myself, I’d have been someone’s lunch months ago.”

Finally, the eldest frog, Glergle took action, calling Mottle down.

She swam in front of him full of worry.

“Mottle, you have consistently brought danger to the entire pond. Your ridiculous skin is a distraction and your incessant singing is bringing predators far and wide.”

She was silent.

“We have no choice but to banish you. Get out and don’t ever come back.”

Mottle was motionless, stunned, but managed to eke out, “I could stop singing, I could sit in the middle of the pond all—”

Glergle interrupted her with a single, “No.”

“But you are my family,” Mottle insisted.

“Some things are more important than family,” Glergle intoned. “Now get out.”

She hesitated.

“Go! GO!!!”

Mottle dashed away in a cloud of bubbles, crying to herself as she hopped through the mud and weeds, dryer ground, brown leaves, tiny stones until she was further from home than she had ever been. Climbing the nearest tree, she sang and cried. She sang of loneliness and friendships lost, of trusts broken and promises forgotten, of childhood fantasies giving way to cruel realities.

She vowed to sing until she could sing no longer, to keep going day and night.

Weary and weak, she sang on through sunsets and sunrises, barely aware of her surroundings, slowly starving herself and becoming dangerously dry and brittle.

Until, at once she was blinded by a brilliant flash of light and fell. But not to the ground, to some sort of slippery translucent cave. She was so tired, she resolved to simply fall asleep expecting to never wake up.

After an unknown time, she opened her eyes. She felt moist and could hear flowing water. In front of her was a live cricket with no legs that she quickly ate.

“Am I in heaven?”

“No,” said a deep voice. “But it might as well be.”

She focused further out and saw a frog larger than she thought possible.

“Ah!” she tried to jump away but was still too worn out.

“Hey! Relax! I’m not going to eat you. There’s no need for that here.”

Leery, but with little choice, she settled down, “Where am I? Who are you?”

The huge frog continued, “I’m Dom and this is our little paradise. Humans feed us, make sure we are healthy, and come by to tell us how amazing we are all day long.”

Mottle crooked her head, “Why don’t they eat us?”

Dom laughed, “Eat us? They love us!”

She noticed Dom’s coloring, “You’re very… orange.”

He nodded, “Yep. And Urdip is blue, Pic is yellow, and Kree is red. We’re like a rainbow.”

She finally noticed the other smaller frogs behind Dom.

“What’s your name?”

She smiled, “Mottle. My name is Mottle.”

“Well, Mottle, we welcome you.”

Mottle inched out of the safety of the small indention she’d been placed in, “Don’t you think my color is a bit much?”

Urdip, a very skinny frog with long legs and eyes that seemed to never stop moving skipped forward, “No. Why would I?”

Pic, a tiny frog no larger than a cicada added, “Where I’m from, a color like mine is a signal that I am a frog of great importance. People would gently pick us up and make sure that our homes were safe.”

Kree seemed slower than the other frogs and added, “You must have been pretty special, too with a polish like that. It’s like… so… shiny.” He continued to stare at Mottle without saying another word.

Mottle tilted her eyes back and looked over herself: still so purple she was almost glowing.

Dom groaned, “Don’t mind Kree. He’s eaten a few too many strange mushrooms if you know what I mean.”

Mottle felt the ground shake and could hear a commotion somewhere nearby. Scuttling back to her hole, Dom called after her, “No! Don’t worry!”

Urdip was already beside her, “Mottle. These are our fans. It’s time to give them a show.”

She was confused, “What do you mean?” She was still inching toward safety.

Pic, while scurrying toward a stick to climb yelled to her, “The people who love us, they take flashes of us and ‘ooh’ and ‘ahh’ over us every day. It’s why we get the good crickets, my dear.”

Kree was shuffling toward a leaf to stand on and Dom just stayed right in the middle. Nobody could miss Dom.

Urdip beamed, “Come with me, Mottle. We’ll dazzle ‘em!”

Mottle decided to follow her and see what all of this was about. Urdip bounded toward the glass and jumped right up on it, sticking in place.

She studied Urdip and wondered if her color was a mistake or if all of her kind were like that. The vivid blue reminded her of the way the sky looked from under the pond where she used to live.

She didn’t think she could stick to the glass, so she climbed up a nearby branch and held on.

People began filing by. Mottle held her breath but the others had been truthful. There were startled sighs and tapping of glass and murmured words and many, many flashes.

No one tried to eat them or capture them. All they had to do was be themselves.

She was so happy that she closed her eyes and began to sing. She chirped and croaked and whistled and told a story of being lost then found, of being afraid then safe, of being alone then accepted, of being ashamed then free, of being an outcast then loved, of loss and new friends, of no longer hiding.

Mottle sang for hours and did not notice the other frogs circling around her or the people calling friends on their phones to tell them about the amazing frog they just saw.

She stopped her song and looked around, “Oh! Sorry, I’m sorry! Did I do something wrong?”

Urdip was wiping a tear away from her still twitching eye, “Wrong? No, honey, that was fantastic.”

Dom bellowed, “A new star attraction is born.”

Pic was licking her lips, “We might get snails to eat if she keeps this up!”

Even Kree was impressed, “I totally felt what you were doing there. Deep. Truly deep.”

And so, thanks to Mottle, they became a wildly successful exhibit. Researchers came from around the globe to study Mottle and try to determine what drove her ability to out-sing her peers.

And the people, they just liked hearing it.

---

This work is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/2.5/ or send a letter to Creative Commons,543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

I replaced my 7 year old MacBook Pro yesterday. I installed UTM instead of going with Parallels. So far, so good. Stood up a MacOS vm. It seems to hang occasionally. Don't love that. I also installed a Kali/ARM vm. Haven't done much with that one.

My objective is to keep the base OS as “clean” as possible. Install few additional applications. Use mainly the browser, native Apple Apps, Edge for work, and Obsidian. All the “weird” will be pushed to vms running in UTM.

“Psychomancer” and what it means

I call the universe in which I create my stories “Psychomancer”. It has been thusly named for 30 years, since I first read Simon's Necronomicon and starting consuming the works of HP Lovecraft and August Derleth.

This is a world where magick is real, but hidden. It's a world steeped in the Cthulhu Mythos, where the Dreamlands are real, where the Deep Ones dwell beneath the ocean, where Atlantis fell 15,000 years ago. But calling upon Outsiders is not the only magick available. All magick is but an artifice over a deeper manipulation of all things. It is a system to understand that which cannot be fully comprehended by a human mind. There are dimensions of reality both above and below our own and each has its own native life. We cannot see them as we have no word for, no concept of, the directions we would have to “look”. Some life in these other planes reach up or down to us while others are ignorant of anything but what it is in front of them. The fractal born machine elves inhabit a five dimensional reality, for instance, while living shadows peer up in envy from two. “Psychomancers” see the flow of the past into the future as a river in which all of reality sits and it has a preferred path. They can cause eddies, small redirections of current. They are workers of magick who sense and manipulate the subtle threads that connect all living and once-living things. Auras, the silver cords that bind us to them, the choices we make, our emotions and impulses, all impress themselves upon what we call reality as we move among the world, among the morass of remembered energies from past forms. Even the unthinking possess life as food is processed, textiles are created, ores are smelted, blending the experiences of the material into something new.

I will probably preface stories with “Psychomancer” in the name so you will know where they fall.

no, really, is it?

TL;DR

For the impatient, here is the final output from using ChatGPT to create service description documentation: – Final doc in Markdown format – (GitHub Gist) – Final doc in PDF format – (Box)

Overview

I’ve been working on building out an internal offensive security function and got to the point where I need some internal documentation as to the service(s) description, engagement model, outcomes, etc. Like a lot of planning, I started with an Xmind #MindMap, and with all the buzz around #ChatGPT, I wanted to see how well it could take what I have and build some docs for me.

In addition to Xmind, I use Obsidian for note-taking, jotting down thoughts, and organizing documentation. The object of this exercise will be to have #Markdown formatted text that I can make final edits in Obsidian and from there publish to a documentation repository.

ChatGPT Prompts

First prompt

I started with a pretty robust prompt. With the exception of the Objective paragraph at the top, this was 100% copy-paste from Xmind to the ChatGPT prompt.

Objective: I want to create a service description and engagement model for an internal red team. This service description should be formatted like a document with section headings and subheadings. Format the output in Markdown. The service components will be as follows: - the team will manage the scheduling process - the team will determine the activities that must be completed to adequately test the target - the team will determine whether a specific test should be carried out by an internal team or if an external testing firm needs to be engaged Pre-requisites for initiating a test include: - a system architecture diagram - a completed threat model document - access to the systems that will be tested The activities performed by this function will include the following items Document processes so they are Repeatable Defendable Create and perform Reporting with the following characteristics templates regular cadence tied-in to the risk review process findings go into backlogs, jiras, and project plans, depending upon the team and target demonstrated ability to remediate findings 

Engagement with developers must include 
  Regular sessions with R&D and IT teams that are developing tools and systems  
  Demonstrations 
  Threat modeling 
  
Engagement with System Operators must include 
  Educational review sessions with teams 
    system operators 
    Blue team 
    system integrators Demonstrations of exploit Collaborative remediation sessions Threat modeling

and the output

Second prompt – measurable outcomes

Now I need to define some measurable objectives of the program in #OKR format so we can measure its success. The results were pretty meh. I’ve tried OKRs and #infosec success criteria in other chats and they pretty much all come out the same. This section had to be heavily edits foor the final. Luckily, I’d already outlined them in the mindmap.

Prompts 3 thru 5 – flowchart

Now that I have a working service description and some needs-editing OKR (all a bunch of words no one will read), I need a flowchart diagram. I’m a fan of mermaid diagrams for their usefulness across various markup languages like Markdown and RestructuredText.

prompt

based upon the service description above, create a flowchart of the entire process beginning with scheduling and ending with concluding a set of tests. Output this flowchart in Mermaid syntax.

output

graph TD
A(Schedule Test)
B(Review Prerequisites)
C(Plan Activities)
D(Determine Testing Resources)
E(Perform Testing)
F(Record Findings)
G(Produce Report)
H(Engage with Developers and System Operators)
I(Conclude Tests)

A --> B
B --> C
C --> D
D --> E
E --> F
F --> G
G --> H
H --> E
H --> I


In this flowchart, the process begins with scheduling a test (Step A), followed by reviewing the prerequisites for the test (Step B). The team then plans the activities required for the test (Step C) and determines whether internal or external testing resources are required (Step D). The testing is then performed (Step E) and the findings are recorded (Step F). The team then produces a report (Step G) and engages with the developers and system operators (Step H) to remediate any issues. The process concludes with the finalization of the tests (Step I).

This was as decent start, and I had a couple iterations:

1. adding a decision add a decision to the chart after step E in order to determine whether the completed tests are adequate to move on to testing completion
2. inserting some more steps In the Mermaid flowchart above, tests need to be concluded prior to producing a report. Also, add a step called "Send to Product Management and Security Leadership" occuring in parallel with the "Engage with Developers and System Operators". Also, conclude with a step called "apply recommendations to target systems"

There were still some errors at this point, such as ChatGPT insisting on putting the “Conclude Tests” step at or very near the end, even though it’s really about the mid-point of the workflow. I could have continued the prompts, but at this point I decided to finish this off by hand.

Prompts 6 and 7 – RACI

Now that the processes are defined, we need to identify the responsibilities of each of the roles and how they interact.

From this, it’s clear that ChatGPT is good at formatting and generating a RACI matrix in #Markdown format, and this version has reasonable values for the roles, even if I don’t agree with them. Still, it was useful enough to have a good foundation that I could tweak, but before that, I added one last parameter:

add a new role to the matrix called Red Team Manager. This role should be responsible for teh scheduling and accountable for everything else. Add two new processes called Review Findings and Remediate Findings. The Developer is responsible for the former and the System Owner is responsible for the latter. Recreate the RACI matrix with these new parameters and output the Markdown code.

And this changed the RACI to basically make the manager accountable for everything.

Finishing up

At this point, I felt like I had the elements I needed, so I began the process of copy-pasting them from the interface into Obsidian and making tweaks to get a usable service description document.

The final output from using ChatGPT to create service description documentation: – Final doc in Markdown format – (GitHub Gist) – Final doc in PDF format – (Box)

Migrating PasswordSafe to KeepassXC

I’ve been a longtime user of #PasswordSafe (or, “PWsafe”), back since Bruce Schneier was managing authorship and maintenance. With all the issues experienced by online providers like LastPass and 1Password (but especially LastPass, by miles), I think the usage of a local password database with sync to a personal #NextCloud instance is the way to go. I’m happy with PWsafe; it’s worked well over the years, but I need to share a few passwords and would like some expanded functionality such as managing SSH keys, so I looked to #KeePassXC, which appears to be the most up-to-date and maintained branch of the KeePass and KeePassX family. KeePassXC is desirable because it is natively multi-platform, whereas the original KeePass is written for Windows, and emulators are required to use it on operating systems like Linux.

Importing passwords

There is no direct import from a PasswordSafe format to KeePass database format using KeePassXC like there is from LastPass to KeePass. A tab-delimited file can be exported from PWsafe, and KeePassXC can import a comma-delimited (“CSV”) file, however, I make heavy use of nested groups, and the work to prepare the CSV file looked like a major pain. Luckily, the original version of KeePass supports direct import from PWsafe.

Armed with that knowledge, this was my path to import my passwords 1. Open PasswordSafe and export the database in the XML format (be careful with this file and delete when done!) 2. Download latest KeePass 2.x from https://keepass.info/ 3. Open KeePass, create a new KeePass version 2database, and import the XML file 4. Export the file as KeePass version 1.x database format 5. Close KeePass 2.x 6. Open KeePassXC and create a new database in a temporary location (doesn’t matter, we wont’ use it) 7. Import the KeePass 1.x database with the passwords 8. When prompted, choose the location and name where you want the database 9. Done!

Finishing Up

Make sure to explore the settings, such as adding a Yubikey and/or keyfile. When everyhing is as you want it and working, delete the interim files (XML, KP 1.x and 2.x databases), and make a plan to retire the old PasswordSafe data.

References

• KeePassXC
  • KeePassXC user guide
• KeePass – original
• Yubikey and KeePass

What is this? Test?

DroidFS by @hardcoresushi@mastodon.cipherbliss.com

[Links]: Fdroid • Github • Gitea • 🏺⁠Pithus

📦⁠sushi.hardcore.droidfs GPG Key ID: AFE384344A45E13A

#DroidFS is a handy little encrypted overlay filesystems tool for Android. It is a #Gocryptfs and #CryFS wrapper developed to use the ContentProvider API and does not require root. It also comes with a built-in viewer for encrypted media files and such.

You can store files in three types of location: ⭐️⁠Hidden containers (/data partition) ⭐️⁠Internal phone storage ⭐️⁠External sdcard storage* * (baring some limitations)

The 1.10.1 version of the app from F-droid works great on my Samsung Galaxy S8 (Pie, API 26), however I ran into crashing on my S20 (Android 12, API 31) so I loaded up 2.0.0-alpha2 which fixed those issues.

Overall I am pleased with the DroidFS app and the security checks out from the source code and my current non-root perspective, however, I do not believe there has been a formal audit as of yet so use with that in mind.

https://infosec.exchange/@catsalad/109900182618331263

However varied our journeys into security are, we tend to come from two very different but specific backgrounds. One segment consider themselves hackers. The other originates in “milfed”, that is, the military, signal intelligence and law enforcement.

We are two tribes, distinctive enough that we each even call our industry by different names. To Hackers it is infosec. To Feds it is cybersecurity.

Hackers

Hackers are those that messed about with computers at home or university, meeting up with others online or a hackerspace if one happened to be nearby. This is the world of phreakers and explorers, cypherpunks, IRC and phrack.org, which published seminal papers such as Smashing the Stack for Fun and Profit and The Hacker Manifesto. In this group you find high levels of support for Wikileaks and Snowden (at least initially), and Anonymous, Occupy, or BLM, if not active participation. Unsurprisingly, this tribe trends anti-authoritarian, even anarchist/libertarian.

This group dominates in Europe, and specifically, on the European continent. Germany especially, with its Chaos Computer Club, combines the hacker ethic with a social consciousness, focusing strongly on the effect of technology on society, and actively pursuing campaigns towards privacy protection of security of citizens. The L0pht notwithstanding, security seemed less of a topic in American hacker culture to me, as a European who moved to Silicon Valley. The Homebrew Computer Club, for instance, always struck me more as makers rather than breakers. Either way, this tribe has a natural playfulness.

Feds

Feds include those with a military, intelligence or law enforcement background. This group dominates in the US, other “Five Eyes” countries and Israel, coming from agencies such as NSA, GCHQ or Unit 8200, etc. but also the FBI or other police forces.

Culturally, with ranks and orders, this means a more hierarchical, authoritarian outlook, and its members are used to operate in far more structured environments. This is a much more serious tribe, coming up within a context of fighting crime or conflicts. This group believes in rules, policies and procedures, and expects them to be followed.

Natural Enemies

I remember the outrage in the hacker community when General Keith Alexander, at the time head of the NSA and US Cyber Command gave the keynote at Defcon 20. Known already for being attended by a variety of Feds leading to its nickname “Fedcon”, many (at least for a while) turned their back on the conference.

The Feds were the enemy. They went after Hackers that weren't cybercriminals – at least in the eyes of the Hackers. They were the ones that turned Sabu. They were the ones that started the Crypto Wars and pushed NIST to include a flawed algorithm in their encryption standard.

And Then We Had Bills to Pay...

As Hackers got older and Feds left the service, we got married and got mortgages. We found ourselves thrown together in the companies and organizations building up security teams and functions, or developing security tooling, protecting systems against ever more professional and sophisticated attackers. We became colleagues, partners, vendors and buyers, and had to work together, whether we liked to or not.

But it has largely worked out. More even than paying the bills, I am convinced that our shared deep concern for security and privacy allowed us to look beyond our differences and build relationships. Still unquestionably a Hacker, I work closely with and for Feds, with great shared mutual respect. They have been and are mentors just as dear as Aleph One.

In hindsight, now about 10 years later, General Alexander's keynote sounds like a brave – if sometimes awkward – invitation to a justifiably reluctant audience. It also sounds far less controversial and even prescient, stressing a “shared responsibility” and working together with industry and the hacker community that is now manifested through CISA and still echoes through the White House's National Cybersecurity Strategy published this week.

If Hackers and Feds Can Do It

What is so fascinating is how we manage to work together and trust each other without losing our respective identities. I am still a Hacker, I don't feel I have “sold out” or anything. My Fed colleagues and partners haven't suddenly become Hackers, either. The Venn diagram of Hackers and Feds remains pretty much two circles. With shared goals to protect society against cyber threats, these unlikely partners rise above our differences to drive meaningful security programs, though.

That gives me hope for society as a whole, and our ability to build bridges across different tribes, cultures, subcultures and other divisions. If Hackers and Feds can do it...

I wanted to share some notes on how my job search went this year. I was looking for a security engineering role here in Stuttgart, Germany, or remtely, ideally for a company with an established security team or culture, where I could learn from established processes and mentors.

Tools I used:

• LinkedIn Jobs
• Infosec Jobs
• I posted a thread on Infosec Dot Exchange about my job search

Applying for jobs

On LinkedIn Finding jobs to apply to was not as easy as I had expected. LinkedIn Job's search query is pretty bad. Searching for “security engineer” returned many unrelated roles. By the end of my 2nd week of applying, my search input was “security engineer -fullstack -backend -cloud -junior -software -informationssicherheit”. That last word may be surprising since it means Information Security in German.

I don't speak German well, and that closed 75% of job postings for my local area. This and the fact that I don't have a degree in a technical domain are probably the reason I got rejection emails in less than 24 hours from a certain number of consulting companies.

The jobs I could apply for were mostly with start-ups that were remote-friendly, were looking to start a security program and were looking for their first hire. That was not really what I was looking for, but I could not afford to be picky.

I applied to every job where I matched 50% of the requirements layed out in the job description. This is a tip I got from the Women in CyberSecurity (WiCyS) mentorship program. Research has shown that women tend to apply for jobs only when they match 80% to 100% of the criteria, but men tend to apply a lot more freely, where they match ~50% or more. So I decided to be bold and that paid off.

Cover Letters and Resume For cover letters, I usually copied the job description into a new word doc and used the wording of the job description to describe the work I have done and how my experiences fit with the job opening. I did not do this for all the jobs I applied to, but it was very helpful. There is nothing more daunting than starting with a blank page.

I've met someone recently who has attended CactusCon this January. One of the talks there was about using this technique too, but for creating job-specific resumes rather than cover letters. That seems like a lot of work, but I'm sure that's a good way to write a solid resume. Here is the resume I used for all my job applications.

Stats

• Applied to 34 Jobs over the course of 3 weeks
• 12 automated rejection emails
• 9 companies wanted to interview
• 2 I declined before talking to anyone
• 7 interview processes
• 2 Offers
• 5 interview processes I stopped because I already got good offers from companies I liked better

The Interview Process

For the companies that did find my resume interesting and started the interview process with me, none rejected me throughout the different rounds. The type of interviews I had were a little different everywhere. Some companies had technical rounds, with sample penetration testing exercises, but most where simply chats through my experience and discussion scenarios, strategies and tools. Nothing too challenging. The key for me was to remember that: – How I do on this interview does not define me. – Whether the people I talk to like me or not is not a reflection of who I am as a person. – It's okay if I am not a match for what they are looking for. It's okay if they are not a match for what I'm looking for. – Be honest and transparent. Be open about what I don't know. – If I fail this interview, I will learn something and be better prepared for the next one.

I usually took a few minutes before the interviews to scribble some version of that at the very top of my notepad, to let it sync in and be a reminder during the interview. This helped me go into all interviews quite relaxed.

Negociations and accepting an offer

I wrapped up the first two interview processes within 3 weeks of first applying. Both were with large, stable companies, with established security teams, and the jobs were fully remote. Both also happen to have women team leads. They were exactly what I was looking for, so I started turning down some of the other companies (all start ups with no security team) I was in process with. I sent everyone polite messages letting them know I was moving forward with another company, and added the hiring managers on LinkedIn to build my network and keep in touch.

Every single company I talked to either asked about salary expectations when submitting a resume or in the very first interview with the recruiter. I am glad that was handled early so that there were no surprises when the offers did come through.

I used offer A to negociate offer B. A had a higher total comp. Company B matched it. Then I went to company A, told them I had another offer with a higher montlhy gross salary. So they (almost) matched it. In the end, the offer I accepted was almost 15% higher than where it started.

Negociating was very uncomfortable but it was worth it.

A few other notes

Networking In December, I attended BlackHat Europe in London, with the main goal of networking in preparation for my job search. I made some connections, but none that led to opportunities this time around. I also attended OWASP's Global AppSec Conference in Dublin in mid-February. I met a lot more interesting people there, but by that time, I had already accepted a job offer, so I got to fully enjoy the conference. None of these trips were wasted efforts, since I get to build and strenghen those connections now. I hope to meet some of the same people at future conferences, and to be able to help them find their next job too.

On job searching in Stuttgart I have a friend here in Stuttgart who also works in the cyber security industry. He has about 2 years of experience in cyber but in a non-technical area. He is also German and has a masters degree in physics. He told us he got a job offer after a single one hour phone interview with a major consulting firm. Like I mentioned earlier, I was turned down very fast by similar companies, despite having more experience than him, but I attribute that to the language and degree requirements a lot of those companies have here. This is Europe and this part of Germany can be considered especially conservative and slow to change.

All that to say the job market is very hot.

This blog started as a Mastodon exchange with Program J and Michael Olsen. They are not responsible for me stretching the metaphor to breaking point. Any similarity to real secret society ranks and titles is only meant to be illustrative.

Barriers to Entry

We have supposedly 3-4 million open cybersecurity position globally, and 700,000 alone in the US, yet it remains notoriously difficult for interested aspirants to break into the industry. Job requirements set unrealistic expectations, while candidates are expected to get a variety of certifications from organizations the industry doesn't even necessarily trust, and may still not get you a job because you lack experience.

Meanwhile those already in the industry, especially those in leadership positions and decades of experience, often got in by accident, through proven skill, or knowing the right people. Their own career trajectories are so often unusual to the point that it warranted its own podcast series on ITSP Magazine, The Uncommon Journey podcast series at some point.

Despite excellent work done by people and organizations helping those looking to break in, we seem to have a structural problem where we set unrealistic barriers we never applied to ourselves. That makes infosec less a mature profession than a modern-day secret society, a 21st century masonic lodge.

Entry through Introduction

Entry into secret societies is through introduction by an existing adept, vouching for the prospective initiate. Once you manage that first introduction and your first job, you've completed your initiation and are part of the group.

Regardless of your certs, the more senior the adept making the introduction, the higher the initiate's entry level. Tough luck if you don't know any, though.

Secret Codes and Symbols

The profession is filled with multi-layered secret knowledge and jargon, with lower levels of esoterica filled with alphabet soup acronyms invented by analysts, only to discover at higher levels of initiation that those are a smoke screen to distract you from the truth that DLP and DSPM are just aspects of data security; NGFW, WAF, IDS/IPS and NDR are network security; and Zero Trust, CIEM and IAM are identity, authentication, authorization and role-based access control.

Our rituals are conference talks, where we talk in jargon about esoteric topics showing terminal windows and code fragments, demonstrating exploits perhaps only some understand, filled with memes, troll faces and cat pictures to throw off the uninitiated. We perform ritual libations for first-time speakers. We post memorials on the blockchain.

Public knowledge is published in standards, but even then we might put them behind a paywall or require a membership. It comes from the cybersecurity vendors to sow fear, uncertainty and doubt. Increasingly secret and deeper knowledge is exchanged in podcasts, LinkedIn posts, blogs, social media (where we may switch platforms if we so wish without telling anyone), github commits or closed chat channels.

Some Masters are frauds, some turn out to be utter abusive assholes. Only insiders know who they are.

Tribes and Clans

We have tribal categories of Hackers and Feds, and separate ones of Red, Blue, and Purple teams with the first determining your Ancestry and the second your Guild – and that doesn't even include the Wizard tribe of cybercriminals who you don't meet until they join one of the main tribes, you gain their trust or they get arrested.

Seniority among the Hacker tribe is determined by how many Defcons you attended or villages you hosted, how many even more obscure Chaos Computer Club conferences you attended, or through legendary exploits. Seniority among the Feds is counted in years of service and what level of classification you're cleared for.

The tribes are broken down into clans whose characteristics you only learn through further levels of initiation.

The Policy clan of academics are idealists, whereas the Industry Analyst clan claim broad knowledge without worrying too much about the nature of True Reality. The SOC and SecOps clans, meanwhile, accept those with book knowledge are well-intentioned but insist they don't know what they're talking about.

Cloudsec and DevSecOps clans want to change all the others' mindset and update all the rituals, saying the old magic doesn't work anymore.

The Signal Intelligence (NSA, GCHQ, BND, etc.) clan doesn't talk, can't talk about anything, but lends credibility to your meeting with other tribesmen.

The Accountants of GRC and Audit, the State Regulatory Church, the serial startup founders and the corporate behemoths of the cybersecurity industry, the data privacy clan that isn't even sure if they're still in the same secret society anymore...

Can we talk about the Furries?

Ceremonial Robes

Security Researcher, Pentester and Red Team clans can wear pretty outrageous attire and facial jewelry. The SOC and SecOps wears dark and muted clothes. Cloud sec dyes their hair in all colors. They all wear hoodies.

The GRC clan, of course, wears collared shirts and shaves. Signal Intelligence khakis and blue blazers.

The Furries... well...

Not The Sign of a Mature Industry

However fun this all may be, this is not the sign of a mature industry or profession. It neither helps us bring in new talent, nor does it help us communicating to the business and the board room. However comfortable it may be, it has become self-destructive. It's time to throw open the doors and go mainstream.

Secret societies aren't bad. Masonic lodges promoted Enlightenment ideals when that was still radical, and allowed people to exchange ideas while transcending social classes. When society as a whole moves on, though, and hackers getting together no longer risk arrest but represent a 200 billion industry, protect trillions of economic activity and our integrity as humans and citizens, it is time to grow up.

So, just to be clear – I am writing this in a liminal mindset of mild alcoholic intoxication, but frankly, that should be quite appropriate to the topic, being a rather liminal space of its own.

One of the things I am particularly fond of are liminal spaces. These are:

Liminal space refers to the place a person is in during a transitional period. It’s a gap, and can be physical (like a doorway), emotional (like a divorce) or metaphorical (like a decision).

“This is where one thing ends and another is about to begin, but you are not quite there yet, you are in the space between,” says New York-based mindset expert Kirsten Franklin, a transformation coach who works regularly with professional athletes and high-level executives.

The tricky part to negotiating this void is that it also holds a huge helping of the unknown. And by and large, experts say, humans don’t like to exist in a space of unpredictability.

source: Liminal Space: What Is It And How Does It Affect Your Mental Health?

See, I disagree with this idea of not liking to exist in a space of unpredictability. I am actually very comfortable with that and such in-between spaces. I revel in them and appreciate their special character and opportunity.

What I feel is a missing from the definition is a temporal aspect. It is not just an in-between space. It's an in-between time space as well. Airports, but even more the actual flights themselves, are perfect examples of that. We're thrown together with a bunch of people in transit, cut off from the rest of the world for a period of time. International flights, lasting 10+ hours, are complete out-of-time experiences, disorienting us from the local time at our destinations.

I love hotel bars. Hotel bars, compared to air travel, are more spatially settled and located, but are just as transitory as airplanes, where normal time is suspended. They are filled with jetlagged guests. And they provide far more opportunities for interaction and adventure.

Ships Passing in the Night

Business travel, whether US domestic or international, involves different in time zones, adding to a general liminal sense. The hotel bar is a 21st century port, where people from different time and spatial dimensions congregate. We're all from somewhere else, and even locals invited as guests of visitors tend to feel a little out of place. After all, if you're local, why are you here? Who or what are you here for?

Magic happens in hotel bars.

We're from every place and every hour.

We speak different languages, grew up different places.

We're every age and every gender.

We're away from home and will never see each other again.

Unusual trust and connection occurs between strangers.

Emotional, spiritual, ... physical.

Liminal Relationships

I remember a Mongolian in Beijing. An Australian colleague in Tokyo. A southerner in New York. A Mexican in Dallas. Gringos terrified in Mexico. A Texan in Frankfurt. Colleagues from Shanghai. Others from Singapore. A South-African in Germany. Mainland Chinese in Melbourne. Italians in Buenos Aires. A Fijian in Atlanta. Iranians in China.

Lost in Translation

Lost in Translation, the movie directed by Sofia Coppola and starring Scarlett Johansson and Bill Murray is the ultimate liminal space and time movie. Much of the movie is spent in jetlagged and liminal confusion wherein the hotel bar plays a strange anchoring role of stability. It's where we go when we feel alone and restless and cannot sleep. It provides a safe port in a strange land where we don't know the rules and local dynamics. It's where we're connecting across time and space. It's where we bond, make plans, and hook up. It's where we're protected by security guards and glass doors from the immediacy of the politics and social dynamics of wherever the fuck we are.

A home away from home, free from any history or consequence. Yet providing lasting memories and insight into the human condition. Or, to be fair, dumb drunken oblivion.

There is a magical document. Nobody tells you how to find it or make one. But it is the secret key to get security programs – or any program – funded.

It's a good Executive Deck.

The Skill That Nobody Teaches

Let's be honest. Many people in security are not the most social to begin with. We chose security as a career path for a reason, and putting ourselves in the position of the business or a senior executive is hard. Even in business functions, though, this seems a skill you only pick up by witnessing the process. I had the opportunity to do so many times, and had a couple of good mentors, fortunately, but that is rare.

The larger organization, and the more senior the executive you are presenting to, the more layers in between will control the process. Executive decks have a format, and these gatekeepers will force you into that – even if you aren't aware what that format is and what the rules are.

There can be so many layers in the organization that your content gets edited outside of your control or even the control of the people you work with to get the content. As your program or team's funding depends on it, the more you can get your slides into the expected shape, the more likely it is you can still control the message. If you are presenting yourself, you will still need to meet the prep team's expectations to get the content approved. After all, you can always be struck off the agenda if they consider the content not worthwhile. You can't make your case if you didn't even get the opportunity.

The Critical First Slide

It is often a challenge to get any time from executives at all. They go through multiple short meetings throughout the day, expected to express an opinion or make a decision. For you, this may be the once-a-year or once-a-career opportunity. For them it's just Tuesday afternoon and after you probably someone else will be making a pitch or present a fire to be put out.

I mentioned these key points in post #5:

• Everything you want to say must fit in 3 slides maximum
• Make sure all that is most important to you is in the first slide — there is a realistic possibility you may not get beyond the first slide
• Realize that many execs are high-speed information absorbers, so get to the point immediately. Make your point in 5-10 minutes

You may get 15-20-30 minutes, but that doesn't mean you're going to get it all. Nothing is easier for an exec than saying 5 minutes before the scheduled end that they have to get ready for the next call. Something can always come up midway. A reschedule may take months. Moreover, you need to leave time for questions and decision making. If you can't make your point within minutes, it is difficult to get a conclusion in the same meeting. That might lead to another reschedule, with the associated delays.

That makes your first slide critical. The second slide is for supporting background information and metrics. The third slide is a detailed breakdown of your request. Everything you need to communicate, however complex, must be in one slide. This is a good structure:

What is the (size of the) problem?	How will you solve it?
Why do I care?	How much does it cost?

Divide your slide in quadrants. In each, in about 3 bullets describe the core message, ideally in sentences of six words or less. If you're like me, and think in paragraphs, rather than words, and have a tendency to add a lot of nuance, this is probably the most difficult part. Nuance is for the verbal presentation (including speaker notes) and appendix.

Grab Their Attention

Describe what the problem is that you want to address. It is important to give a sense of size. If the problem seems minor and not of the magnitude to warrant their attention, they will be inclined to ship it off to someone else.

The “why do I care?” part that follows is really about how much trouble am I/are we in for not doing it. The “we” is the organization or business unit as a whole. The “I” here is the executive, personally. We will care a lot about our particular problem. Executives deal with big problems all the time. You have to register on their scale to get attention. Their perspective is completely different from yours. If you don't get them to see your problem as their problem, you will lose their attention at this point instantly.

One exec that I battled a lot with told me once he appreciated the passion I brought to my topic. I returned the compliment by saying I appreciated that he dealt with a 100 priorities other than mine, so completely understood that at times we would come to different conclusions.

Do You Have a Plan?

Now that you have the executive's attention, you present your plan. You have a plan, right?! Nothing is worse than bringing a problem to an executive, making it clear it is their problem, and not have a plan to fix it. That's why you're here: to show that you have a solution. The fourth quadrant is to show the timeline and cost to put it in place.

It is important to understand here what the executive is looking for. They are looking for the existence of a (realistic) plan. They may ask for details, not so much for those details themselves, but for evidence that you have thought things through, can get started quickly, and that you are competent enough to gamble investment on.

Your cost should be, ideally, within or below expectations of what the executive expects, and of course be significantly less than the financial risk if the problem is not dealt with.

Follow-up questions is also what your slide 2 and 3 are for. Slide 2 is good for supporting documentation, slide 3 is for a more detailed cost breakdown structure, any headcount required, and how you will measure your progress. Any further information can be in appendix slides, or even a project plan, roadmap or other materials that can be shared upon request.

Visuals and Spokesperson

A good-looking deck helps good content, but it isn't a substitute for it. Good visuals and esthetically appealing slides that enhance the message will give a good professional impression, and again will raise the confidence that you can be competent enough with investment that could easily go somewhere else.

It is also important to pick the best possible spokesperson. Don't switch presenters, unless during Q&A when pertinent. The best spokesperson is the one that can deliver the message the best, not (necessarily) the one who owns the project, had the main idea, or did the slides. This is not the time for recognition and ego, it is the time to get the program funded.

The Squeaky Wheel Gets the Grease

An executive presentation can be intimidating. But hiding problems doesn't get you funded. The squeaky wheel gets the grease, whether we like it or not. The art is to squeak without being too annoying and making it clear you have an affordable approach to make the squeaking stop.

Good luck!