Jun 19, 2012

Leader or follower?


What was you last amazing research in Information Security? Have you ever published a brilliant paper regarding a new technology or an undiscovered vulnerability? How many patents had been -at least- co-authored by you in this field? (yes, the last question is just for US -the weird patent addicts-)

I was wondering if there are people without any positive answer and still think that are 'Thought Leaders in InfoSec'. But, wait a minute! WTF is a "Thought Leader"?

Recently I read this post "Infosec Thought Followers" and it made me think (just a little) about the status of the industry and its "Leaders". Can you be considered as a leader just because you've good communication skills and you're good doing presentations? Yes, there are people that just get on a podium and give a talk, usually about some amazing technology researched and discovered by other.

I'm not saying that it is an easy task, however in that case I think we're not talking about real leaders.

Leadership is a complex concept but, generally speaking, there is an influence relationship among leaders and followers. Are you able to create some influence relationship just talking about something that it hasn't neither a few of originality?


If you're just a really well informed follower acting as a Leader, Can you predict the direction of the industry? Build credibility? Can you be able to anticipate a new threat? Honestly, I don't think so. You, obviously, could be a great and very valuable professional; a really trusted advisor in security for many different businesses, but please, be realistic: this is not leadership.

There are some quick tips that you must have keep in mind if you want to be a thought leader:

1-Thought leadership requires thinking. (Oh! sh1t!)
2-Be different and interesting. (No, it has nothing to do with your wool hat)
3-Don't be self-serving (Are you kidding me??)
4-Tell a story.
5-Build on your brand.

Have you thought in somebody who is doing at least four points of the list?. I know people in the security community who are doing well the last two points, and people who are really experts in not doing the third one. I wish to know more people doing well the first one...

I want to end this brief reflexion quoting the last paragraph of the post I mentioned before:

"Really, we’re all thought “followers” who absorb from one another. That’s what the community is good for. And we need all of it we can get."

Jun 15, 2012

Summer Reading List

As every single year, summer is coming and with it the same doubts about what to read or what to conserve for the cold winter.

The problem, as always, is the time available for this enormous pleasure (and intellectual need), so I've decided to organize myself following several recommendations


In summary I agree with the author of the tips that it's all about focus and it's easier to focus if you're really interested in the topic you're reading. I'm gonna start with a plan. Usually plans are made to accomplish them. Unfortunately, because of multiple reasons not always you can get them accomplished. So, please, don't judge me if I can't afford the complete plan, just think it's a way to organize my wish list of readings :) Let's plan:

June 2012

Currently I'm reading the book "Detecting Malice" by the well known Robert "RSnake" Hansen - if you're curious about Information Security you must have read some post of his blog and probably played with his famous XSS Cheat Sheet. I don't to reveal you so much content of the book, first of all because I'm still reading it, (I've read very fast the first half of it) and secondly, because I want to give you more details in a subsequent post.

There are the other books I wanna read during this month:
  • "The Tangled Web: A Guide to Securing Modern Web Applications", by Michal Zalewski.
  • Ok, it's enough technical reading ... let's change the topic: "Zero day", by Mark Russinovich ... Oh, wait! - (in fact, I've started reading this book past February, but I left it - How I hate that!  - specially because I liked it meanwhile I read it, however, as I said previously ... some circumstances... I must finish it!)
July 2012

More technical readings for this month....
  • "Hacking: The Art of Exploitation", 2nd Ed by Jon Erickson
  • "Malware Analyst's Cookbook", is written by Michael Ligh, Steven Adair, Blake Harstein, and Matt Richard. This book it has almost 2 years now but I believe could be a good reference book. (by the way, here you have a list of some Malware analysis books).
August 2012

Here I hope to have additional time for reading ...
  • "Ghost in the Wires" by Kevin Mitnick and William L. Simon.
  • "A Bug's Hunter Diary" by Tobias Klain. I really don't have very good references about this book, however I like the topic and I would be wrong in my preconception.
It isn't a very ambitious list, so maybe I can deal with all this reading.

Enjoy your summer reading too.