Be Curious
Final thoughts as we close out another year — 2023
I wasn’t sure what I was going to write for my year end post this year. It was not the most exciting year. It had some sad events like my father passing away. That was probably the most momentous thing that happened in my life this year.
Different life events affect people in different ways. The way the passing of a parent affects one person may be very different from another. It is often not a singular, simple feeling for many people, I’m guessing. But it was hard on my mom this year who spent her first Christmas alone in over 50 years. I can’t even imagine what that must be like, but her comment to me was that she was going to, “Choose Joy.” What a beautiful sentiment.
She is a strong person. I am not, really. I can get through things but I think all the stress over the years has caught up with me a bit and I’m ready to kick back and relax. I don’t feel the need to rush around to conferences and try to prove myself or gain credibility. If people can’t see what I’ve contributed by now, they likely never will. I’ll probably hit a few events here and there but mostly I just want to research, write, and help my clients.
This year I’ve found myself to be so tired of the social media arguments and debates with people who don’t know what they are talking about, for one thing. There are some cases where it’s a difference of opinion. There are some instances where a person is sadly misinformed but chooses to dig in and spread misinformation online. I’m through with that. You can spend hours replying to social media comments or comments on a blog that mislead people but I have no time for that anymore. Everyone needs to take responsibility for their own information sources and critical thinking.
Life is too short. I was further influenced into thinking this way by the passing of my father. What are people going to say about you in the end? What have you accomplished? Who were you as a person? Did you just nitpick on other people’s posts on the Internet to try to make yourself feel smarter? You’re not helping anyone. And I don’t have time to try to defend all my ideas or points so I just pretty much stopped dealing with the comments and spent my time on digging in and doing more research.
All the time defending your past posts could be spent on researching and building new things.
That is my focus these days.
That’s what I’ve been doing for the most part on my blog all year. I could get things wrong and I have — and try to swing back around and correct things I’ve gotten wrong. I appreciate the intelligent comments I receive that are not derogatory, insulting, off-topic, and misinformed like many of them seem to be. I’m not sure if it’s an intentional disinformation campaign or just people trying to feel smarter. Lately, I’ve been wondering if these are generative AI bots. Some people have sent me a private message to explain when I have an actual issue that can be addressed and I fix things when I get those messages if I have the time.
How do you combat all the people online who are spewing out uninformed opinions, or just opinions in general, day and night? I see a lot of people posting commentary and opinions but no actual useful information that you can go back and use to improve your life or in the case of my writing, the security of your cloud accounts and applications. Do you recognize when that’s all someone is doing all day long that you follow?
How do you weed through all that noise? In my case, I block people who are rude or distracting. I try to follow people who are actually doing things. They are researching, exploring, building, and in general, getting things done. They are posting comments that help people solve problems.
The other thing I do is research, as mentioned. I’m constantly exploring, building, and coming up with things I didn’t know the answer to or in some cases I didn’t even know the question when I started. I take those questions and I explore and look at things. I don’t just read a post online and accept an answer. I actually try things out and see how they work.
That’s what hackers do. The term hacker wasn’t a derogatory term in the beginning as I explained in my book. They are people who tinker and reverse-engineer and try to see how things work.
One thing I did this year was renew my SANS certifications. I thought I wanted the material offered by the classes but the classes I reviewed only had like one or two new insights and I haven’t even had time to look at the rest. That took three months of my life to prepare for and when I got to the test, the practice tests and new content I received did not align with the test I got. I think what happened is I got the old test with material I studied four years ago.
As I was taking the test, I was sure I was going to fail and I started pondering if I would even bother to try to retake it. I know someone who failed and had to go redo the test. Somehow I passed based on four year old memories. I got much better scores on the practice tests once I regrouped after my first attempt to align my notes with that material. All my notes and studying was aligned with the new format. I asked some others who renewed their certificates and they said they got the new format — so there was definitely some kind of snafu in the process where I got an old test.
As I approach the beginning of the year, I remember how much of my life I invested into that process. Too much. Three months of wasted time (it feels like) when I could have been researching, writing, and building. I am kind of glad I got it at this point in my life, but I don’t think I will be renewing that again. At this point in my career, it may lend some credibility, but I don’t think it is worth it in the future and I have other plans.
If people are not satisfied with a BA in business, a masters in software engineering, a masters in information security, and 13 expired certs in 4 years and a bunch of publications and presentations demonstrating novel approaches to cybersecurity — before they even get on the tests — then sobeit.
What I want to invest the rest of my life into is learning and improving security. I want to provide people with solutions that actually work and stop data breaches. Most of what people are investing time and money into right now has limited value. In order to do that, I need to keep exploring new ideas and how things work and see if I can come up with better solutions.
I’ve been working on one idea on my blog all year — actually since last year — and it would be farther along if I hadn’t had those above two life events which were of significant impact to time, mood, and energy this year. Since the beginning of Cloud Security I’ve felt like people just don’t get it and are doing it wrong.
They are trying to buy all these tools that they want to magically save them but in the end — security is architecture on the preventive side. When you build a skyscraper you don’t just buy a tool to build it for you end to end. You get all the people involved who take care of different aspects of the architecture, design, project management, building, and trade specialists like plumbers and electricians.
Why do people think they can buy a magic tool for cloud security? I don’t know. You need people who can write good policies and who understand the intricacies of how the cloud platforms and your applications and systems that integrate with each other work.
You need people who are constantly investigating, exploring, and evaluating them as they change as I and other people I know are doing like Scott Piper, Chris Farris (fellow AWS Security Hero), and Nick Frichette. They dig in to understand how things work technically and present their findings. Scott Piper seems to have some automated tools to monitor changes to AWS managed IAM policies which is pretty cool. There are so many others so that is not at all an exhaustive list, but these people come to mind immediately when I think about people researching novel solutions, attacks, and how things work in the cloud.
On the application security side my absolute favorite presenter is James Kettle. He digs in all year to try to understand a particular problem and presents on the topic at various conferences. He doesn’t give you a glossy overview of all the general things you should and should not be doing. He dives into the technical inner workings of systems to present things like caching issues that can embed malware on your site or extract data from visitors to your CDN. He finds detailed flaws in the integrations between systems and the ways they chunk and deliver data. That stuff is truly geeky and cool in my book.
How do they do it? I would say first and foremost these people are curious. They want to get into the meat of how things work. They dive in and explore to understand at a lower level than most of the glossy verbiage and commentary I read online when it comes to cybersecurity and figure out how things are actually working and how they can be broken or abused. Or in some cases, they are just broken to begin with due to an unfortunate design. In other cases, they find the cracks or the “things between the things.”
I learned about a way to draw better by taking art classes in college. To draw the line appropriately, you look at the negative space — not just the object you are trying to draw. It was a fascinating concept to me and something I think good security people do a lot. It’s also something good QA people need to do as they not only perform functional testing but testing of all the things that shouldn’t happen or shouldn’t exist in an application.
As I wrote about in a recent Twitter thread, if you want to know who to follow, do your own research. Get deep dive training on how to dissect network packets, for example, and learn how malware works. Study breaches to understand how attackers are breaking into systems. Then design your systems to prevent those breaches.
Over time, you will learn and understand who to follow and who is giving you the best advice based on an informed decision rather than follower count or an exciting talk at a conference. Though some people who have a lot of followers are definitely worthy of that count, some are just really good at influencing people.
Others, like me, aren’t so bothered with influencing. We just have our nose to the ground and are trying to figure things out. I don’t know how many times companies have tried to pay me to be an “influencer” for their product or service. I don’t do that and I finally updated my LinkedIn profile to explicitly call that out so they would stop trying to pay me to do that. Perhaps I am losing money as a result but I don’t care. I like money, obviously, but I’m not 100% motivated by it.
I am motivated by money when I believe in the product or solution, and when I can do something that makes a difference. And these days — I don’t want to be in an argumentative, political environment in corporate America. Had enough of that over my career and so tired of it. So mainly I just answer calls for people who have security questions via IANS Research (contact me on LinkedIn if you want to become a client) and I perform penetration tests, speak at mainly events where I am paid to do so, and have done a bit of training. That’s it.
I only mentioned a few people in this post but there are many, many others. I follow some on social media if you want to see who I follow there. Some people are just long time followers whom I have been in contact with years but some of the people I follow are some of the greatest minds in cybersecurity who post security research. And that’s why I’m really on Twitter. Or X, I mean.
I want to find great minds publishing new interesting things (not regurgitating everything they read on someone else’s blog) that I can use in my work to help people build more secure systems to protect people and data. I explained why that small hack in your system may mean a lot more than just an attacker on your network in my book at the bottom of this post.
My advice to anyone who is gung-ho and starting out — is to be curious. Don’t just follow the herd. Don’t believe everything you read without investigating other sources. Avoid the hype. Dig in and learn how things actually work and how they are applied appropriately — like the latest AI buzzword recently usurping machine learning for the top overused term in all technology for the past few years. I wrote about my take on AI here — which I first saw when I was like 8 or 9 on a guy’s computer who worked for the US Air Force. AI is not new. It’s getting better. It’s not appropriate in for all scenarios and solutions.
When I saw that Jeff Bezos (a name I didn’t know at the time — he was just “some guy” to me back then) was going to try to sell books online, I thought, aha. That is the future. I switched jobs. It was obvious to me that you could look at a website, view products, buy them, and get them shipped to your home. It’s a simple concept.
Alternatively, my dad wanted to invest in llamas but thankfully my mom talked him out of it.
He was right about the computers, but not the llamas. Avoid hype.
I wrote about how my mom and dad got me into tech at an early age by accident here:
It all started because I was curious. I was tired of playing Munch Man and I wanted to figure out how to write my own programs — something I really had absolutely no clue about. I don’t even know how I figured out how to get into the right place to write the code or save them to a cassette tape. I just saw some code in a magazine.
Whatever you do, stay curious. Avoid the hype. I’ll say it again. Learn. Read. Watch videos. However you do it — dig in. Find out how things really work. Check multiple sources.
And don’t waste all your time dealing with social media comments and arguments. If you don’t like what someone is saying just mute or block and move on. I’ve seen a lot of women who have problems on social media, but that approach has served me well and I haven’t felt particularly bothered.
Don’t waste all that time on the noise. Focus on your curiosity and what you want to learn and know and do and be. Because life is too short. Don’t waste it on nonsense. Think about what you can accomplish and how people will remember you.
How will you remember yourself? I heard a story on the radio about how people remember all the bad things they did. Even the things they convinced themselves were not bad — on their deathbed. What will you remember about yourself?
What will your last post be on social media? Will it be something that helps people or some waste of time argument?
Forgetaboutit.
Do something positive that makes a difference— right now. Today!
As for me, one of my most enjoyable things over the course of the year has been simply walking my dog. And that’s what I’m going to do right now. And now you will be subjected to cute dog pictures because this pretty much sums up the rest of 2023.
Have a great day and best wishes for the new year.
Here’s to a great 2024. 🩵
P.S. Go UW Huskies Football! 💜💛
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
