Tuesday, December 28, 2010

Guest Interview: Hadi El-Khoury and Jimmy Vo "Mentor & Mentee Q&A"


Today, our guest bloggers are Hadi El-Khoury and Jimmy Vo. Hadi and Jimmy are participants in the InfoSecMentors Project as mentor and mentee, respectively. This pair has been kind enough to keep us posted on their progress in the mentorship via updates on Twitter, and they have sent us the interview below where they both weigh in on several questions relating to mentoring in Information Security.

1. How long have you been in the program?

Jimmy: Hadi had indicated that we’ve been in the InfoSec mentor program for about 6 months. Time flies when you’re having fun.

Hadi: Indeed, mentoring Jimmy has been so enjoyable since he's keen on pushing forward in real life the new ideas and concepts we've been discussing.

2. What are your backgrounds?

Jimmy: I am a recent college graduate from Richard Stockton College of New Jersey with my B.S in Computer Science/Information Systems, specializing in an Information Systems concentration. The Information systems concentration was more business orientated, which I found helpful already. I’ve worked part time help desk positions during my undergrad studies. I’ve started my first full time position as an IT Systems Analyst for a small business. I’ve always gravitated towards information security and had an interest in hacking. Most of my undergrad research was centered on information security. I’m currently attending Boston University for my M.S in Computer Information Systems – Security Concentration.

Hadi: I hold a post-graduate degree in Network and Information Systems Security from the French Ecole Nationale Supérieure des Télécommunications. Prior to that, I graduated from the Beirut School of Engineering ESIB with a specialization in telecommunications. I am currently a Security Consulting Manager. For the last ten years, I've been dealing with information security and business continuity subjects on technical, organizational and business levels in line with ISMS (Information Security Management System) implementation while taking advantage of quality and business process management aspects for large financial institutions and critical private operators across Europe and the MENA region.

3. What were the main logistical challenges?

Jimmy: Hadi resides in Paris, France so there is a six hour time difference. Despite the time difference we meet weekly via Skype. We usually chat for about an hour to an hour and a half about various topics which I’ll go into detail later.

Hadi: Indeed, since it's often past midnight Paris time when Jimmy and I meet through Skype, I have to keep a Coke can by my side to regain some energy after a long day at work.

4. What were the covered topics? (Hard Skills)

Jimmy: One of my main focuses is business continuity planning. We developed a plan to create a business continuity plan which involved business process modeling, dealing with vendors in regards to SLA, coming up with metrics, determining risks, and various other BCP related topics.

We also discussed ways to improve an IT infrastructure, such as concepts like ITIL and other ISO standards. We also discussed various information security topics which deal with metrics, creating security awareness, OS hardening, integrating security into BCP, web application firewalls and securing the SDLC.

Hadi: I am always stressing the importance of bridging the gap between the various disciplines governing IT, HR, business process modeling, information security, business continuity, risk analysis, to name of few.... Information security and business continuity are transversal by essence and should be dealt with as such.

5. What skills categories were covered? (Soft Skills)

Jimmy: A great amount of emphasis is focused on developing soft skills that are essential to my success. We discussed effective communication with other business units. Hadi discussed the importance of working across different “silos” in order to assist in my organization’s success. There was discussion on persuasion and negotiation techniques. We talked of project management techniques to prevent project failures. Our mentorship was more than being technically able; it was about being approachable and tightly integrating technical initiatives within an organization.

Hadi: The best "geek" in the world will remain unnoticed if he doesn't possess a minimum of soft skills, namely the ones just mentioned by Jimmy. When it comes to information security and business continuity, organizations are so reluctant to change their approach that the battle won't be won unless a significant load of soft skills is invested. To support this, I share the following quote from Wall Street Journal Deputy Managing Editor Alan Murray as he was discussing some of the lessons new managers can learn from his new book, "The Wall Street Journal Essential Guide to Management." It reads: "Even best-managed companies aren't protected from this destructive clash between whirlwind change & corporate inertia". IMHO, corporate inertia will exclusively be defeated by soft skills.

6. What was the used approach? (use cases, transversality, feedback, ...)

Jimmy: From my perspective, Hadi has coached me rather than taught me. We didn’t spend our Skype sessions on going over step by step of configuring an intrusion detection system. Our discussions are at a higher level, which worked very effectively for me. I can just read a manual or Google a tutorial on deploying an IDS. In the contrary, I can’t read a manual on convincing management on the requirement of an IDS. Sometimes Hadi will assign me “assignments” which we go over during the following meeting. We also discuss interesting InfoSec related articles and try to apply them.

Hadi: In addition, I'll just mention the mindset changing "Security by Analogy" approach. Readers can find an excellent example at the ISECOM website here: http://isecom.securenetltd.com/jack.1.0.en.pdf. I personally love the Electrician example, since it constitutes IMHO the very basic foundation of Information Security and Business Continuity.

7. What were the quick wins? (ROI, ...)

Jimmy: One of the quickest wins was learning how to deal with salary negotiations. This was a skill that wasn’t taught in college. In the end, I was able to negotiate for more benefits. I was able to implement some initiatives for my organization with the help of Hadi. I see the wins every day at my workplace because of the knowledge and coaching I’m receiving.

Hadi: Every Skype session with Jimmy is a quick win by itself since his motivation remains constant and his open mindset is ready to bust a new corporate silo. Jimmy is trying hard to tackle things properly each day despite corporate inertia. These are valuable assets for any wannabe Infosec practitioner.

8. What are the induced projects?

Jimmy: My experiences beginning my professional career and discussions Hadi had motivated me to start a blog called Above Technical (.com). There are many technical blogs that focus on the mechanics of technology and/or information security. These skills are very important but the soft skills to communicate with others in an organization are even more important. The blog is focused on what I learn and the tips I’ve gathered in hopes to post some useful content for others.

Hadi: Besides naturally contributing to Jimmy's new blog, I'm evaluating the feasibility of a larger scale mentoring program that takes advantage of the InfoSecMentors experience along with online news aggregators like the http://coaching.sekimia.com one.

9. What's new on your bookshelves?

Jimmy: The newest book I’m reading is Yes! 50 Scientifically Proven ways to Be Persuasive by Noah J. Goldstein, Steve J. Martin, and Robert B. Cialdini. It’s a book Hadi had recommended for me.

Hadi: Jimmy introduced me to the Toastmasters International website. I'm looking forward to delving into their leadership concepts.

You can find Hadi El-Khoury on LinkedIn and Twitter.
You can find Jimmy Vo on Twitter and at his blog, AboveTechnical.com.

Monday, December 13, 2010

Guest Post: Michelle Klinger "Interview with a Mentee...Mentee T"

This is the continuation in a series of interviews with both mentees and mentors on their experience with InfoSec Mentors to date. Individuals have had to have been paired up for at least two months and I also chose to keep the participants anonymous as I thought I’d receive more honest answers, both praise and critique of the program. And with that I introduce an interview with a mentee.....Mentee T:

Q: What was your reasoning for engaging an infosec mentor that you were not able to do on your own?

A: To be honest, it was the experience really. I was looking for a way to broaden my horizons, and talk to all the people I could. I'm relatively new to the community, and one of the most important things that I've found, as well as the most rewarding, is just to talk to people. When I heard about the starting of the project, I was one of the first to pitch it to others.

Q: Prior to being matched, had you known of your mentor either personally or through social media forums? Were you hoping for someone “well known” in the social infosec social circle?

A: I was definitely aware of my mentor, and I think my mentor and I had mentioned each other on twitter once or twice, but had never actually conversed. Was I hoping for someone well known? I had no preference, really. One of the most important things about a project like this is coming into it with an open mind. Particularly as a mentee, you're really after someone who is well, smarter than you. So you have to throw out a lot of your preconceived notions and just go with the flow. (Also, wow, that was incredibly hippie-ish.)

Q: Was gender a concern when envisioning who you’d be paired with?

A: Not in the slightest. There are a lot of infosec chicks who are significantly smarter than me, and a lot of dudes who are as well. Like I said above, it was really about making the connections and conversations.

Q: Has your mentor suggested or encouraged you to engage in social media (i.e. Facebook, Twitter, and LinkedIn)?

A: I'm actually more active on social media than my mentor. Mentor did make a point to remind me to be careful what I say out there, but that wasn't much of a stretch more than what I already do. It's an often forgotten art, the act of not spewing every little thought on to the interwebs. Actually, if you watch my stream really closely, you'll see me tweet something, then within a minute or two, delete it after some thought.

Q: Was your pairing public via social media (i.e. Facebook, Twitter, LinkedIn) either by you or your mentor? What was the reasoning behind the decision?

A: It was actually kind of a game to see if people could figure it out. Even about 6 months or so later, once we had pretty well, if not officially ended the mentor/mentee relationship, that some folks were still trying to catch hints. But we never officially made it public. Just never felt the need, I suppose. Now, though, I wonder if that might have put some necessary pressure on the relationship.

Q: Did the initial meeting/conversation meet expectations? What did that initial communication entail?

A: The initial conversation actually threw up some red flags for me. Our initial introduction was through email (we didn't meet in person until BH/DC), and I went ahead and took the lead, since every conversation should be a two way street, by sending a few questions in my mentor’s direction. Just a few things like how mentor got 1st infosec start, what some of my mentor’s day to day duties and such are, and a few other questions just to get to know my mentor better. And while my mentor acknowledged that emails were received, I didn't receive a full response to those questions for about 2 weeks.

Understandably, that's a little rough on the start of what's supposed to be a back and forth relationship, just by definition of a mentor/mentee relationship. I understand being busy, I was in the process of writing and preparing a talk myself, but this definitely started us off on a rocky footing.

Q: Have you made any major changes or decisions based on advice or direction from your mentor?

A: Well, I'd like to say I have, since I received such advice as "Stay in school." "Don't let your ego get ahead of you." But I don't know that those are really personally specific, so I guess the answer is no.

Q: Were you given any “homework” or assignments to complete and did you actually do them? Did you see value in the tasks assigned?

A: In an odd turning of the tables, I was actually the one issuing homework. I was looking for feedback on my talks, and my topics, so I assigned my mentor to watch the recordings. However, I don't think that was ever done, so I suppose there wasn't much value from the assignment if it never got done.

Q: Do you feel the mentor you were paired up with was an accurate match?

A: That's a hard, hard question to answer. I think we had some similarities to be sure, and since I still don't have much of a direction in mind, just getting to know someone new was kind of rewarding. However, I am still definitely disappointed, thinking about what could have come out of it. Even meeting in person never lit much of a fire. This is an organic thing, it has to be nurtured and grown, which requires effort on both sides of the table. If that never happened, nothing ever grew, and then I don't know that we could call the match accurate. The important thing, though, is that I learned something from this, even if I'm not totally sure what I'm it is quite yet.

Q: If you could re-do any aspect of your interaction with your mentor to date, what would it be and why?

A: That's a loaded question, particularly after my comments above. Is there stuff that I would change? Hell yes. I'd love to have gotten to know my mentor a little better. I wish we could have shared a bit more than the IM conversations and a few hours of surface chat at BH/DC. I was in an area where I was trying to make some decisions and more than a line or two would have been greatly appreciated.

However, I don't want my story to be a discouragement. More a...disclaimer, I think. As you go into your mentorship/menteeship, be aware this is definitely a relationship. It has to be a two way street, or this isn't going to work. Take a look at your time commitments before joining the program. This whole post could have been avoided early on, if my mentor had waited until a period where mentor had a little more time on his hands. And not even a whole lot, but enough to answer an email every few days. Just something to think about…..


Looking for other mentors/mentees...If you'd like to be interviewed, please contact me at securityindepth at gmail dot com

Monday, November 22, 2010

Guest Post: Michelle Klinger "Interview with a Mentee...Mentee Y"

As previously mentioned, this is the continuation in a series of interviews with both mentees and mentors on their experience with InfoSec Mentors to date. Individuals have had to have been paired up for at least two months and I also chose to keep the participants anonymous as I thought I’d receive more honest answers, both praise and critique of the program. And with that I introduce an interview with a mentee.....Mentee Y:

Q: What was your reasoning for engaging an infosec mentor that you were not able to do on your own?

A: I'd been working to transition into the pen-testing field but without direct experience it was difficult to get past initial interviews. I sought a mentor to help me identify the areas I was lacking and suggest how I could fill the gaps in my experience.

Q: Have you’ve ever had a mentor before? Was it organically developed or had you been a part of other mentor programs?

A: I've had mentors off and on throughout my life. In every case they were organically developed and made a huge contribution to my success at the time.

Q: Prior to being matched, had you known of your mentor either personally or through social media forums? Where you hoping for someone “well known” in the social infosec social circle? Why or why not?

A: Yes, I'd seen my mentor present at Shmoo earlier this year so I knew of them already. The fact that he is well known only helped me to more quickly understand how he could contribute and help me towards my goals. The "well known" factor wasn't a requirement for me though. As long as the mentor had the experience to understand what I was looking for and help me down that path, that's all that mattered to me.

Q: Was gender a concern when envisioning who you’d be paired with? Why or why not?

A: No, gender was of no concern to me. I've met plenty of highly experienced people in this field and their gender had little or nothing to do with that success. As long as we could communicate and work together that's all I cared about.

Q: Has your mentor suggested or encouraged you to engage in social media (i.e. Facebook, Twitter, and LinkedIn)? Have you? Why or why not? If you have, has aided in your original goals?

A: I was already engaged in most of the social media options when I was matched so no, he didn't suggest any of those. Of all the social media I use, Twitter has been the most valuable for keeping pace with what's happening as it's communicated by the infosec industry.

Q: Was your pairing public via social media (i.e. Facebook, Twitter, LinkedIn) either by you or your mentor? What was the reasoning behind the decision?

A: Yes, I know I tweeted about it immediately although I waited to say who my mentor was until after we'd exchanged an email or two.

Q: Did the initial meeting/conversation meet expectations? What did that initial communication entail?

A: It wasn't what I expected but that wasn't a bad thing either. I learned that my mentor and I shared many similar experiences which helped me to understand that my goals were reasonable. Basically, "If he could do it, then I had a shot too".

Q: Have you made any major changes or decisions based on advice or direction from your mentor?

A: Absolutely. His experience gave me an alternative path to consider for my job search. Ultimately this is what led me to my current new job that I've had for about a month now. It's not a pen-testing role like I'd been targeting but it turns out I'm probably 10x better at being an analyst than I would have been a pen tester. Plus, the company I'm with now has lots of opportunities internally when I'm ready to move into other areas, including pen testing.

Q: Were you given any “homework” or assignments to complete and did you actually do them? What are a few examples of assignments given? Did you see value in the tasks assigned?

A: He definitely gave me recommendations for web app lab configurations. It wasn't homework though and unfortunately I've never taken the time to set up the suggested lab systems. I do see value in this and when I do reach this point I know my mentor will still be there to help with any questions that may come up.

Q: Do you feel the mentor you were paired up with was an accurate match? Why or why not?

A: Yes, my mentor was an accurate match based on the information I provided in my questionnaire. The end result was a path I hadn't considered taking and was different from what I thought I was looking for but a win is a win.

In the end, the InfoSec Mentor experience was less what I was looking for, and more of what I needed. If you're open minded enough to see this and respect it for what it is, then it's a priceless lesson and an invaluable experience.

If you’d like to be interviewed, please contact me at securityindepth at gmail dot com

Tuesday, October 19, 2010

Unexpected difficulties from life on the road


As far as career highlights go, this past month has been one of the best. I'll never forget my trip to Source Barcelona where I hobnobbed with Really Smart Dudes™, had conversations that may well have changed the course of my business model, and convinced Wim Remes to be EU Director of the InfoSecMentors Project.

But the name of this post is about unexpected difficulties in traveling, not in its virtues.

Nobody will be surprised to hear it when I say that I made a rookie mistake. The conference was actually only two days, but I've been to Europe before, and I knew that if I was going to be human I would need two days beforehand to get over jetlag. Then, as long as I was in Europe, I decided I would stay through till my cousin's wedding. And I'd always wanted to see Italy. And I was set to coordinate Security B-Sides Atlanta in October. Before I knew it I had racked up 26 days away from home.

Now, you industry veterans know before I even say it what my unexpected mistake was. In my excitement to experience the whirlwind
jetset of a lifetime, I had completely abandoned my loving, dutiful significant other. By the time I realized what my trip was really costing me, the damage was pretty severe. I'm grateful to say that all is well now, but it left me thinking "I wish someone had talked to me about stuff like this." The InfoSecMentors Project blog is about advice for careers, but it's also about the ephemeral stuff that you may never realize, but really need to survive in the bigger game. So, thanks to some of the awesome supporters of the project, below are some thoughts from people I respect in the industry on the subject of traveling for work, and keeping that perspective on *what's really important.*

Does traveling for work put a strain on your relationship/family life?

Chris Hoff, someone who regularly crosses continents, said,
"Definitely. There are two aspects that are most difficult; logistics and emotional connectedness. I have 3 kids (6, 9, 14) and another on the way. My wife and I really do work like a transportation team when I'm home and I do most of the cooking so it's very difficult for her to maintain all of it by herself. She does a fantastic job but it's a nightmare trying to plan around three different schedules given the kids' activities.

Then, of course, there is the issue of not being there; not having a spouse, a friend, a dad. That's a terrible price to pay, but given how big of a part of my job this is and has been for some time, we learn to cope and try to quickly settle back into a routine when I get home."
How likely are you to forgo work travel for family reasons?

Following up on a topic he actually covered at
HacKid Con in Boston, Josh Corman said,
"I travel BECAUSE of family, because I am the provider. I hate getting on a plane for work (although many friends/colleagues don't even have income right now.) I travel BECAUSE I love my family. The trade-offs between the Provider, Parent, and Spouse roles are very difficult."
Martin Fisher adds,
"I may not forgo the travel but I work hard to minimize impact. I plan for day-trips instead of 2 day events...2 day events versus a week away...and so forth. Sometimes long trips can't be helped but working hard to minimize the impact pays huge dividends."
How often do you "call home" while on a work trip? Which technologies do you use?

Ryan Russell said,
"At least daily, usually several times per day. At least one voice phone call, frequent texting, sometimes an email. My wife isn't into any social networking, but I see many other couples use that. I will sometimes interact with my older kids on Facebook. When I went to Germany a couple years back, I found my cell not working, and hotel phone ridiculously expensive. I was happy to find that Skype worked really well. (On the really expensive Hotel Internet, but that's not optional. ;) ) We have toyed with gmail video chat, and found it workable. We would probably use that in the future."
So, what's the secret, really?!?!

In classic
Nickerson style, Chris weighs in on this one, touching on points I hadn't even considered.
"HAHAH... I really wish there was one. More than anything, it has to do with the level of understanding of your family. If they have always known you to fly 150k miles a year and only be home on the weekends.... they have their expectations set ( hell, i think Jes gets sick of me being home for more than a few weeks in a row) =)

If you are new to the
JetSetting... communication is the key! Bust your butt on the job... so you can catch that early flight, plan your trips wisely, check in often, speak your mind... (this one is huge) Let them know what you are doing and why. They love ya and will understand. Sometimes there are compromises that can be made (a day here n there) that help them feel like they are part of the process ... not just collateral damage.

The gifts.... well..
thats lame. No need to try to buy it back. Instead... buy 'em gifts at random. It's more fun, and will always be unexpected. This way you are not trying to make an excuse for why you got them some crappy Barcelona t-shirt and a package of gummy bears from Berlin.

But in all seriousness, I have had many first timers work for me in the past and I always tell them that they need to make family first, and take care of them at all costs. (PS. for all you managers out there.... It's on you as well... don't be slave
drive'n your employees just because "you can" and "they don't mind." You have to have some respect for their family life. If you are not sure if you are doing it... read their schedule to your spouse. See if they say "If you had to be gone that much I'd..." or something like it. Employees and partners alike, all need the checks n balances. Spouses, Bosses, and all you Jet Setters... you all have a responsibility to be vocal and make it work together. NO ONE can do it alone."
Hopefully this was helpful, or at least sits in the back of your mind. One of the topics I hear people worry about in this industry is "burn out." I've learned first hand that it's a real concern, and unless you keep your home life happy you'll never survive it.

Friday, October 15, 2010

Suggestions for getting started

One part of participating in the InfoSecMentors project is the support resources found on this blog and over emails. One email in particular goes out to potential mentors and mentees before they meet their match, giving them suggestions for how to start the process. The first step is to bridge the familiarity gap and get to know each other. I've posted this email below, in case you were one of those volunteers who received it many months ago and were looking for a reference.

Hello participants,

If you're receiving this email, it means we have received all of your application information, and we are busy making a match for you! We've had an overwhelmingly successful number of participants, and we've begun making some great introductions. In the mean time, I thought I would create a small list of activities you should expect to do during the beginning phase of your mentoring relationship.

MENTORS
-Email your mentee with an introduction to yourself. Consider including the answers to questions like "What is your favorite duty on your job?" "When are you available and where are you located?" "What was your experience being a mentee in the past?" and "What do you expect from your mentee in this relationship?"
-Decide with your mentee on a single task that you can help them with, and execute.
-Promote your relationship. With their permission, talk about your mentee on Twitter or other forums. This is to increase the mentee's personal brand, and to make it easier for them to seek help or engage the community.
-Introduce them to other people that can help with another specific issue.
-Wash, Rinse, Repeat.

MENTEES
-Create a list of questions for your mentor.
-Email your mentor with an introduction to yourself. Include information about your experiences up to this point, and what goals you have.
-After getting to know your mentor's skill set, decide on a single task that they can help you with. The more specific, the better. (Not knowing what you want to be in 5 years is fine. Start with a goal of learning about your mentor's daily job. Ask questions about their background and style of living. Then ask them to guide you through introductions to other people in different jobs. It is important to be specific and have your questions ready.)
-Keep in touch! While it usually falls on the mentor to make the connection, it is very important for the mentee to *maintain* that connection. Plan on emailing your mentor every few months after your task is completed with updates to your professional life. This will definitely pay off down the road, I promise!

MANATEES
-Continue being adorable.

When you receive your introductions tomorrow, hopefully you will be pleased, but if there is a problem, just email us and we'll make a change. Problems that may arise include schedule conflicts, ethical/NDA conflicts, or you're already best friends and don't want to "go there." No problem. Give us another chance, and please be *specific* about your goals.

And keep an eye on our blog, http://infosecmentors.blogspot.com/. We have some helpful tips, and future blog posts planned interviewing some of you on your progress!

Best of luck,

Marisa
Founder, InfoSec Mentors
www.infosecmentors.com
====================

Thursday, October 14, 2010

Mentor vs. Mentee

Hiya ! We've been matching mentors and mentees at lightning speed in the past days and as one would come to expect, we have much more mentees than we have mentors.

At first glance this would seem natural, the infosec people I've met all had one thing in common : their thirst for knowledge. If we pick up a subject, we want to know it all. When it seems we master a subject, a whole new aspect of that same subject jumps from the woodwork. It's an eternal process. We (need to) keep learning.

When I look at the list of people who have subscribed to infosecmentors as a mentee, I sit back and wonder. Among them are people I would love to have as a mentor because I know they possess a wealth of knowledge and more importantly, knowledge that some of the other mentees crave.

Whatever your reason is for not subscribing as a mentor, I ask you to think again. And this is why :

Several years ago I picked up a book at a local second hand book market and I decided to take it with me. That book was "The Cycle of Leadership" by Noel M. Tichy and it describes how top-performing companies stand out because of their ability to develop leaders at every level of their organisation. These companies develop virtuous teaching cycles in order to keep a steady flow of leaders within the company. Most importantly, Mr. Tichy stresses the importance of the teaching and learning being reciprocal. The best teachers are those who are willing to learn from their students.

After I read the book, I started paying attention to this concept. I try to grasp every opportunity to learn from anybody. Sure I can learn a lot from another person, much smarter than me, in my own trade but I learn from the C-level executive, the helpdesk guy, the cleaning lady and my mom too. Sometimes I teach. Not in the classroom sense of the world but I share knowledge. And even then, I'm learning too. By getting feedback, people proving me wrong or people providing completely new insights that challenge me to learn even more. And it's fun !

Let's bring that spirit to infosecmentors! I promise you that being a mentor will not be a boring task and even as a mentor, you'll learn a lot !

We need you !

Mentoring in funny accents ...

I have to be honest. When Marisa came out with the whole infosecmentors idea, I must have been her worst critic. Infosecmentors was launched with the idea of bringing mentors and mentees together during BH/DC in July and I was totally rebuffed. I loved the idea, but I felt excluded since I wouldn't make it to Vegas in 2010. How could I ever participate ? I didn't sign up and let the idea slip away.

Months passed by, 0-day got released, several Patch Tuesdays came and went and somewhere in the back of my mind a thought was lingering: "could I be a mentor or rather embrace my inner n00b and become a mentee?"

Then came September and I flew to picturesque Barcelona to speak at and attend the Source conference. How much did I know my life was about to be changed ? There must have been sangria and tapas involved but then and there I was personally introduced to Marisa. Now, I have to tell you, if you happen to run into Marisa the first thing you notice is the copious amounts of positive energy she exudes. After apologizing umpteen times about my behaviour a few months back, we kept talking about this project and the way she talked about it, the energy she puts into it got quite infectious. Somehow along the way I had a choice to make : either I was gonna be the bystander who criticizes and does nothing or I was going to get involved and give my everything to make this work.

I didn't think twice, or maybe I did but after 2 more cups of sangria it didn't really matter.

Since more and more people from Europe are putting their names down as mentors and mentees and the time difference would require Marisa to either clone herself or outsource the matching process Elbonia, As of now I will be your contact person for this part of the world. Together with Marisa, I'm totally convinced that we will all benefit from the mentor/mentee relationships we want to foster and we're more ready than ever to make this work.

For those that don't know me, I'm @wimremes on Twitter and the rest can be found using Maltego. Now let me get back to finding you the right mentor/mentee and enable you to get as much out of that relationship as possible.

--Wim

Monday, October 11, 2010

Guest Post: Michelle Klinger "Interview with a Mentor...Mentor R"

As previously mentioned, this is the continuation in a series of interviews with both mentees and mentors on their experience with InfoSec Mentors to date. Individuals have had to have been paired up for at least two months and I also chose to keep the participants anonymous as I thought I’d receive more honest answers, both praise and critique of the program. And with that I introduce the first interview with a mentor.....Mentor R:

Q: What was your reasoning for choosing to offer your time and energy in becoming an infosec mentor? Had you ever been a mentor before (officially or unofficially)?

A: I have been both a mentor and mentee in my career so far. I had never taken part in a formal mentoring program before but I had been “taken under someone's wing”. That person helped me a lot in my career so I wanted to give something back to someone else wanting to get into information security.

I unofficially mentor people in my current role and continue to do so, the work I do with my infosecmentors mentee is largely the same as I do with my two unofficial mentees.

Q: Prior to being matched, had you known of your mentee either personally or through social media forums? Did you request your mentee?

A: No, I hadn’t heard of my mentee Q: beforehand and I didn’t request my mentee.

Q: Was gender a concern when envisioning who you’d be paired with? Why or why not?

A: It wasn’t for me, I’ve worked with and been managed by females all through my career so I’ve never seen gender as a problem. I’ve been exposed to the struggles my own mother had through her career as a female in male dominated industries despite her knowledge and achievements.

Q: Has your mentor suggested or encouraged you to engage in social media (i.e. Facebook, Twitter, and LinkedIn)? Have you? Why or why not? If you have, has aided in your original goals?

A: I’m the mentor in this pairing but I suggested my mentee set up a blog which has helped build his profile in the web application security community. I also encouraged my mentee to be more active on Twitter and get involved in “conversations”.

Q: Was your pairing public via social media (i.e. Facebook, Twitter, and LinkedIn) either by you or your mentee? What was the reasoning behind the decision?

A: It was made public, by both of us. We had multiple reasons, we were happy to be paired together. I wanted to spread the message about the infosecmentors program as well. Obviously no one gets to see everything we discuss but we feel making some things public has helped, I know of people who have applied to join the program after reading about our work and pairing.

Q: For the initial meeting/conversation did you have a set idea of what you wanted to communicate regarding the mentor/mentee relationship? What did that initial communication entail?

A: I guess the fact I’m in Ireland and my mentee is in Las Vegas limited our choices when it came to communicating with each other. We have almost exclusively communicated via email, quick/small queries via DM’s and we spent a day together at DEF CON discussing future projects etc.

Q: What is your take on assigning “homework” or tasks to your mentor?

A: I am the mentor in this pairing, but if my mentee wanted to assign me “homework” I’d not be against the idea as long as they respected the fact I sometimes have no time to do this kind of work.

Q: Since your pairing, would you say that you were accurately paired with your mentee? Do you feel that you have the knowledge and skills to guide the mentee towards his/her goals?

A: Yes, definitely. I think we were are a great pairing, I felt this way just from our email conversations but after a lot of one on one discussions in Las Vegas I feel we both think alike and have the same work ethic and attitude towards information security.

Q: Would you say that being a mentor has taken up a significant amount of personal time?

A: No, if anything I sometimes feel like I should be giving more time to this but I just can’t spare much time when work and outside work projects get busy.

Q: If you could re-do any aspect of your interaction with your mentee to date, what would it be and why?

A: Probably spend more one on one time when I was in Las Vegas, given the distance between the pair of us one on one meetings are probably only going to happen once a year.

If you want to be interviewed, please contact me at securityindepth at gmail dot com

Monday, October 4, 2010

Guest Post: Dan Burrowes "Passion to Drive Action"


Today, our guest blogger is Dan Burrowes. Through his participation in the InfoSec Mentors Project, I learned that Dan has a fascinating perspective on what the Information Security community is like in Japan. He has offered to share an essay on the power of communication and letting your passion drive you. Dan can be found at his bi-lingual blog: http://akibako.com/

I'm an English teacher. In Japan. Moved here from the States seven years ago. It pays the bills. Before this, I was in IT, but long story short, right now I'm not.

It's funny how life works. Sometimes you close one door in your life, and you think that it's closed for good. In the meantime, you look for another door, only to find one and discover that it looks eerily like the last. However, when you open it, the landscape looks different. It's clearer. You can see clearly now exactly which path you are meant to take. You passion has been found. This is infosec for me.

In this revelation, you also realize that your progress down this new path is equal only to how much effort you expend. Your passion drives you to take action. You ask when you don't know, you take initiative, and you seize every opportunity you're given.

But you quickly realize that you can't do it alone. No one can do it alone. Nobody who has ever done something great accomplished it in the vacuum of their own solitude. You need somebody to ask when you don't know. Somebody to help you turn your initiative into progress. Somebody to give you opportunities and guide you to begin creating your own.

Somewhere in the back of their mind, everyone knows this, but they often don't act. They wait, believing that greatness will seep into them as if by osmosis.

Well, guess what? You can't wait. You need to start somewhere. This was true for me, as well...so I did.

I took my Japanese language studies seriously. I went back to basics, studying networking, protocols, and programming. I read white papers, watched presentations, and listened to podcasts. I was learning a lot. But I was still in a vacuum. I needed to interact, however social networking was never my forte. Marisa Fagan gave a talk and wrote a blog post about how to prepare for a career in infosec. The simplified premise is that you need to socially integrate into the community and be active in it.

It took me a little while before I truly understood this. The point of this integration is not to create a platform for narcissistic drivel. The point is that the more connected you are to the community, the more you'll get back in return. Being part of the community means that people will help you, people will teach you, and people will inspire you. But it won't happen unless you become involved.

Keep in mind that "the community" can be looked at in two ways. One is the larger, international infosec community — the global entity comprised of practitioners, researchers, and analysts. Here, infosec rockstars travel the globe to do their thing because of their expertise and notoriety. But rockstars don't become rockstars without first busking on local street corners and honing their skills in the neighborhood garage. This is the other way to look at the infosec community: the local entity. This entity is local in language and region — it is a microcosm of the global version. The international and local spheres cannot exist independently; they are the same group, just different scopes.

Since one of my primary infosec goals is building my infosec career in Japan, I realized that I needed to start to integrate myself locally. The challenge was daunting. I'm not a native speaker, so I was linguistically separated from the community. I didn't know anyone else in infosec, so I was socially separated from the community. My city lacked a hacking group, so I was physically separated from the community.

So I decided to make a community. A local one. A group didn't exist with the goals I envisioned, so I created the Kyoto Information Security Users' Group: a mailing list and monthly hands-on learning sessions to ask when you don't know, turn your initiative into progress, and give you an opportunity to share, teach, learn, and do. So I do so. In Japanese. Every month. It scared the crap out of me at first. Me, the only non-Japanese speaker, getting up to lead a hands-on session about ICMP attacks to thirty people who are most definitely more knowledgeable than myself.

I wasn't an expert in the topic. I found my language ability failing me. But I wanted to share what I knew, recognizing that the outcome would ultimately be that *I* learned something. Nothing happens until something *happens*. You need to be an active participant if you want to learn. You need to introduce yourself if you want to be part of the community.

But all of this requires that you be able to communicate. Regardless of whether you use your native language, or your second (or third, or fourth...), it's imperative to hone your linguistic communication skills. You become hyper-aware of this issue when you live in a country that speaks a different language from your own. On one hand, you become painfully cognizant of your deficiency in your host country's tongue, yet you also begin to realize the true power that you wield in your native tongue. Communication is power. You can attack someone's argument; you can defend your own; you can convince; you can enlighten; you can garner trust and respect. It is a direct reflection of who you are and what you know.

Having command over both written and spoken language is absolutely essential because ultimately, the entire field of infosec deals with discovering, parsing, and advising on written and spoken communique.

Take a theoretical pentest of a Japanese software company. Information gathering would be practically impossible if you can't read Japanese names, addresses, or documents.

A great deal of your social engineering engagements wouldn't get too far if you didn't look and speak like a native Japanese. (Though playing the "helpless foreigner" role can give you a different avenue for access.)

Jump to the penetration phase of the assessment. You've discovered two software development servers hosting what seems to be only half of the company's key software. The servers are named "nobunaga" and "hideyoshi". You can't find the company's main assets. If your cultural knowledge were up to snuff, you'd presume that there also exists a server somewhere named "ieyasu". (Tokugawa Ieyasu did ultimately become the most powerful of the three warlords, so he'd rightfully be holding the crown jewels.)

Finally, good luck writing your report...in Japanese. And giving your final briefing to the client's executives...in Japanese. And advising the company's IT staff...in Japanese. Your career depends on your ability to communicate effectively, yet it's hard to be authoritative about your knowledge if you can't eloquently express yourself.

This situation applies to any language, whether it's Spanish, Slovak, or Swahili. It even applies to English. Even if your entire infosec career never extends beyond your native language, you still have the task of eloquently expressing yourself to other people through written and spoken forms.

Being in infosec is a lot more than just the technology. Whether you've already got a mentor, or you are still crossing your fingers hoping that the program will send you that special email, it's still up to you to take initiative in your education. Your path as an infosec mentee starts even before you become one. Become involved in the community — even if that means that you have to be the one to create it. What you create locally will eventually make you connected globally. Lastly, always remember the power that you have to communicate. Never stop striving to polish your communication skills be it in your first language, or your second.

Make your passion drive your action.



Thursday, September 9, 2010

Interview with a Mentee...Mentee X

As previously mentioned, I planned on doing a series of interviews with both mentees and mentors on their experience with InfoSec Mentors to date. I tried to choose individuals that have been paired up for at least two months and I also chose to keep the participants anonymous as I thought I’d receive more honest answers, both praise and critique of the program. And with that I introduce the first interview with Mentee X:

Q: What was your reasoning for engaging an infosec mentor that you were not able to do on your own?

A: I guess my reasoning for joining the Infosec mentors is a little different to some others. I’m already in the industry and work as a penetration tester for a large bank. My goal wasn’t to get exposure, to get technical assistance or anything like that. My main issue was that I’d reached that point where I should be giving presentations and talking publicly about things I’m doing. For me that’s a hard hurdle to get over. Fear of speaking, or more aptly, fear of landing flat on my face, is my biggest issue right now. That’s something I hoped my mentor could help me with. To speak from experience about how he overcame that, and how I can start to present my research with confidence.

Q: Have you’ve ever had a mentor before? Was it organically developed or had you been a part of other mentor programs?

A: I’ve had a mentor before, but it’s been a long time since we’ve met. Since my previous mentor and I worked together at a company some years back, it was hard to keep in contact once I moved on. I wouldn’t say we came together organically as such. My previous company liked to run mentor schemes, and although we were (work) friends, I guess the program was the nudge we needed to make the agreement official. Since then both myself and my previous mentor have moved into other lines of work in other parts of the world, so it made little sense to continue the arrangement. He gave me a lot of good pointers however, and I’ll always credit him for giving me the drive to try new things and move forward.

Q: Prior to being matched, had you known of your mentor either personally or through social media forums? Where you hoping for someone “well known” in the social infosec social circle? Why or why not?

A: Funny enough, I’d met my (now) mentor a few times previously, and we were what I would consider friends. Ironically I actually joked on Twitter that I’d get stuck with him… and look what happened. I don’t regret it for a minute though, as he’s a perfect fit for what I want to improve on.

I guess I was hoping for somebody to come along who I knew and respected… and I certainly wasn’t disappointed in that respect. Not that being well known makes you any better or worse at being a mentor, but I guess I had an image in my mind of what I wanted and that went well with it.

Q: Was gender a concern when envisioning who you’d be paired with? Why or why not?

A: No I don’t think so. I don’t think gender makes a difference in the industry. A lot of people have made a fuss about gender issues in security in the last few years but I’ve never seen the issue myself. I have respect for people in this industry regardless of the age, sex, race or experience. This isn’t an easy industry to work in, so the fact they’re here and trying means they’ve earned that respect.

Q: Has your mentor suggested or encouraged you to engage in social media (i.e. Facebook, Twitter, and LinkedIn)? Have you? Why or why not? If you have, has aided in your original goals?

A: Well I was already a social butterfly… in fact I think I’m on more social networks than he is. Not sure if that’s a good thing or not ;)

Twitter has been a big part of my success and been a great way to meet people. I can’t recommend it highly enough to people in the industry, or looking to break into it. You have to be part of the conversation after all… and everybody has a point to make!

Q: Was your pairing public via social media (i.e. Facebook, Twitter, and LinkedIn) either by you or your mentor? What was the reasoning behind the decision?

A: We announced our pairing pretty quickly on twitter and on my blog. It wasn’t really a discussion to be honest, as we’ve both been on Twitter for a long time, it just seemed natural. I’ve actually seen a lot of infosec mentees creating accounts on twitter when they’ve been paired with a mentor. I think that’s a good thing as it’s a great resource.

Q: Did the initial meeting/conversation meet expectations? What did that initial communication entail?

A: I’ve had a few really good talks with my mentor and gotten a lot out of them. We initially started talking over Skype and other online channels due to the distance (I’m in Europe and my mentor is in the US). We met up face to face again at BSides Las Vegas, which was a fun trip. I think our relationship is a little unstructured at the moment, as we’re both rushing around to conferences and the like... plus the obvious time difference. Hopefully we’ll be able to get together more often online or IRL in early 2011.

Q: Have you made any major changes or decisions based on advice or direction from your mentor?

A: Not at the moment. I’m still working on a few things that should come to fruition next year. Hopefully my mentor can help me iron out the many kinks before then.

Q: Were you given any “homework” or assignments to complete and did you actually do them? What are a few examples of assignments given? Did you see value in the tasks assigned?

A: My mentor did offer something you could call homework, but due to some bad timing I wasn’t able to take him up on the offer. Still, there will be other chances to show my presentation skills I hope. My mentor has also given me a number of smaller tasks to do, usually at the last minute… still it’s all good experience. They’ve certainly helped me look differently on things and change my opinion about a few key issues.

Q: Do you feel the mentor you were paired up with was an accurate match? Why or why not?

A: I think so. We have similar outlooks on things, which is great. Plus he has the perfect skill set to help me achieve what I want out of our relationship. I’m hoping the transfer isn’t all in one direction however as I see the mentor / mentee relationship as a two-way street. If it’s all work for the mentor and no benefit then that’s not good. So I hope I can add some interest to the mix and make a difference for him also.

I’d like to thank Marisa and everybody involved for the chance to be part of the InfoSec Mentor program. If you’ve not already signed up, you should take the time to do it… you’ve got nothing to lose!

Wednesday, July 21, 2010

It's only just begun.....

Now that it has been a few months since the highly anticipated mentor/mentee pairing, I wanted to touch base with a few of the participants to see if the rose is still on the bloom or if the honeymoon is over. Over the course of a few weeks I’ll be interviewing both mentors and mentees and get their thoughts on the process so far. Since the InfoSecMentors program is in its infancy, this may help identify strengths and weaknesses to better improve the experience of everyone involved. Also for those contemplating joining, they will have a better idea of what to expect or what to do differently.

I’ve chosen for the interviewees to remain anonymous to both the general public reading this blog and those within the InfoSecMentor’s leadership so as to encourage more candid responses.

Sample Questions:

  • Prior to being matched, had you known of your mentor/mentee either personally or through social media forums?
  • Was your pairing made public on the various social media outlets?
  • Were you given any “homework” or assignments to complete and did you actually do them?
  • Do you feel the mentor you were paired up with was an accurate match?
  • Was gender a concern when envisioning who you’d be paired with?
Stay tuned as the mentors & mentees reveal their experiences with the process thus far.

If you are interested in being interviewed, please contact me securityindepth {at} gmail or @diami03

Thursday, July 1, 2010

Advice from an InfoSec Mentor


The InfoSec Mentors Project is off to a great start. While some participants are familiar with the process, others are just getting their feet wet for the first time. This week, we are very excited to show our readers what one mentor has been doing with his mentee, and the kinds of topics they're exploring.

Earlier this month, InfoSec Mentor @SecurityNinja volunteered to be matched with mentee @JackWillK. Jack was looking for someone to help him hone his skills and to help him engage the community. David began creating a list of things they could work on with Web Application Security to build up his knowledge/profile.

  1. Introduction email
  2. David Rook to do a Follow Friday just for Jack from the Security Ninja account
  3. David Rook to review Jack's resume and give feedback
  4. Suggested Jack set up his own blog and begin blogging
  5. Suggested that a joint/guest blog post on the Security Ninja blog might be useful
  6. David suggested that Jack does a series of blog posts based on the PHP ESAPI from OWASP
  7. David Rook to introduce Jack to Mike Boberski (lead for the PHP ESAPI project)
  8. General advice: conferences are expensive, see if you can volunteer to help out at conferences such as BlackHat in future
  9. General advice: conferences are expensive, see if any other local conferences are going to have some of/the same speakers - i.e. DEF CON has a lot of the BH talks for about 1/10th of the price
  10. Suggested lab exercises for Jack to carry out such as using the Damn Vulnerable Web Application, Web Goat etc
  11. Give a "suggested reading" list of books/articles

So far, Jack and David have made some great progress on this list. In addition to being more animated on Twitter, Jack has also begun his own blog. He followed through on the suggestion to do a series of posts based on the PHP ESAPI project from OWASP. This brought some new attention to the project, and Jack was even mentioned for his work at an OWASP meeting. Then Jack's blog was picked up to be a member of the Security Bloggers Network. Success!

David was nice enough to also share with us his suggested reading list of books and articles that focus on general security knowledge for a good foundation.


"If I were trying to get started in web app security right now I'd have a read of some of my own presentations (*might be a biased statement haha) on the Principles of Secure Development and my DEF CON presentation from last year.
The Principles of Secure Development is basically a root cause analysis approach to secure development. It focuses on the real issues behind vulnerabilities rather than getting caught up in the FUD and media hype of specific vulnerabilities, top "X" lists, etc.

I would also begin playing with vulnerable applications such as the Damn Vulnerable Web Application. Learn about the vulnerabilities in them and try to figure out how you would prevent them yourself. I would also recommend a few books as well (I own them all so I genuinely do personally recommend them):

XSS Attacks: Cross Site Scripting Exploits and Defense by Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, and Petko D. Petkov

SQL Injection Attacks and Defense by Justin Clarke

The Security Development Lifecycle by Michael Howard and Steve Lipner "

We're looking forward to seeing some more great things from Jack, and hopefully he'll keep us in mind when he becomes a Security Rockstar :)

Friday, June 4, 2010

Guest Blog: Michelle Klinger "And when exactly am I supposed to find time for that?"


Today, our guest blogger is Michelle Klinger. Michelle has spent the last 5 years as a security assessor for Fortune 500 companies. She has joined the InfoSec Mentors program as a way to increase her technical skills and gain a better understanding of the industry.

As I begin to pursue my information security career in earnest I have come to the conclusion that in order to truly succeed in this industry, it requires an inordinate amount of time and energy be devoted to the trade. Now I know what you are saying... DUH! I suppose to be successful in any career one must devote endless amounts of time. I obviously recognize that hard work is required to succeed but I am more curious about the info sec community specifically and how you deal with these pressures.

I use Twitter specifically to connect, interact, and network with the info sec community, and I’ve been lucky enough to make some good friends with what Andrew Hay calls “D List” security professionals. But as I read my tweet stream I am struck by all of the activities these D list, successful, security professionals engage in: giving talks; blogs (both writing and reading); attending conferences; “real job”; side projects; reading security articles; podcasts (both recording and listening to); and attending local security meet-ups. When do you sleep?! I want to know what the secret is for being able to maintain this level of devotion. Does one need to be single? Is it absolutely necessary to have an understanding spouse? Or have you just resigned yourself to the fact that people are going to be disappointed and pissed off that you never have time for them?

Now I’ve committed to taking this seriously to learn as much as I can….I’ve subscribed to various podcasts & blogs; I’ve participated on a few Bsides panels at BSidesSF and even gave my own talk at BSidesBos, wrote my first blog, attended several conferences, co-planning BSidesDFW (shameless plug), and even signed up for InfoSecMentors. And so as I begin to come to the realization that there are not enough hours in the day, I turn to the experts for advice on what I should expect or watch out for? At the very least send me that dohicky thing that is able to make time stand still...


In addition to finding the balance between the daily grind and the extracurriculars, you can find Michelle Klinger working on her latest side project, Security B-Sides DFW.

This B-Sides is an unconference event held in Dallas-Fort Worth on Saturday, November 6, 2010. The committee is still looking for sponsors, and the Call For Speakers is still open.

To show support, tweet "#BSidesDFW November 6, 2010: Don't Mess with Security! http://bit.ly/BSidesDFW"
Michelle Klinger

Sunday, May 30, 2010

Guest Blog: Amelia Shackelford "Taking the Risks"


Today, our guest blogger is Amelia Shackelford. Amelia is a fiction writer based in Atlanta, GA, and has received her fair share of advice from great minds.

In the spring of 2004 I was an undergrad at Georgia Tech and an unpublished author. When people asked me what I wanted to do, who I wanted to be, my answer was simple. “I’m a writer. I want to write.” But, as yet, though I talked the talk, I was just beginning to learn to walk the walk. I saw myself as a Writer with a capitol W, but I wasn’t published. To the literary world, I was nobody.

Your heroes are human.That spring William Gibson came to Tech touring his new novel, Pattern Recognition. This man had been successfully living my dream for as long as I’d been alive. His writing had informed and inspired mine. In short, in my mind, William Gibson was not a man but a Hero, and from the moment I heard Gibson was coming, I knew what I had to do.

See, I had this first edition paperback of his first novel, Neuromancer. It was beat to hell. I had read it over and over again. It had been my travel companion up and down the East coast and across to the West for years. Like a child’s most ragged stuffed bear, with an eye missing and the fur coming off in patches, it was my most beloved and prized possession. And I was about to get it signed by the Man, by My Hero.

The day I found out I was going to have the chance to meet my hero, I ran home from class, threw my bag down and ransacked my room. No luck. I searched everywhere. I knew it had to be there somewhere. I made a trip to my parents’ house that weekend, tore up my old room, the living room, the garage…

The book was nowhere to be found. I knew I had it. There was no way it was gone. It wasn’t lost, but it wasn’t in my hands.

I racked my brain. No one had ever been allowed to borrow it. I tore my boyfriend’s house apart, searched through my living room, my roommates’ rooms, and the day of Gibson’s signing just kept coming closer. Instead of looking forward, I kept wishing for just one more day, just one more day to find The Book.

Finally, inevitably, the day came. I still couldn’t find it, but I was not to be defeated. I headed to the book store early, purchased a copy of Pattern Recognition and asked the cashier, “Oh, and could I grab one of those Post-it notes?”

Standing in line, just a few adoring fans back from the front, the next guy in line asked me what I was having signed. “Oh, just the new book,” I shrugged, “And this Post-it,” I smiled slyly. My inquisitor looked at me, knitting his brows together, “What?”

I explained my predicament and how important it was for me to get Gibson’s signature in my copy of Neuromancer at almost any cost. His response? “Woah, that’s a really specific request. I don’t think he’ll do that…” This guy was too nice to say it, but the way he shook his head, the dismissive look at my poor little Post-it (stuck on the tip of my pinky finger) said it all: “What makes you so special?”

And what made me so special? Like I said, I was no one. What do you call an unpublished writer in the literary world? Nobody.

I shrugged, started to answer, but our conversation was cut off. The Man had arrived.



After Gibson gave his reading, he opened up the floor for questions, and I made my move.

“Where did you get the idea for the film in Pattern Recognition?” It wasn’t a brilliant question. It was nothing new, and I was sure he’d had to answer it before, maybe countless times. I almost didn’t ask. I almost kept my hand down by my side. After all, I was just some kid. Sure, I fancied myself a writer, but who was I? Nobody.

Your heroes are human But, no. I had a mission. What made me so special? The guy behind me in line didn’t know, and neither did Mr. Gibson. I had to show them, and that wasn’t gonna happen unless I took the chance. It wasn’t gonna happen unless I quit worrying about having the most brilliant question, about being nobody. It wasn’t gonna happen unless I opened my mouth.

“Funny you ask that,” Gibson smiled. “When I was in college, I took a lot of film classes, and I’d always volunteer to run the projector, mostly so I could get some extra sleep during class. I think somewhere in there, all these old black and white films reflecting off my eyelids got stuck in my subconscious...”

Twenty minutes later, I was standing in front of him. He was signing my copy of Pattern Recognition, and I was still nervous, still feeling like just about nobody, like maybe the guy behind me in line was right… when what do you know, I found myself asking him another question I was sure he’d answered a hundred times before. “So what happened with the movie Johnny Mnemonic? I mean, it looks like your world, and there are so many elements from Burning Chrome and the Sprawl trilogy, but… well, it just doesn’t fit together, and, well…”

“Actually, I wrote the screenplay,” he chuckled and paused.

“Oh really?” I was taken aback.

“Yeah, it was supposed to be a comedy, with a lot more Dolph Lundgren running around in a loin cloth.”

I laughed out loud, “Oh, god, really?!”

“Yeah,” Gibson laughed with me, “There were two problems. First, Speed had just come out, so all of a sudden Keanu Reeves was an action hero instead of a comedy star. Second, and probably even bigger, the production company was afraid of the religious right crucifying us over all the Cyber Jesus jokes.”

“Wow,” I shook my head, “It all makes so much sense now!”

Right about then, his handlers were getting a little fidgety, trying to move me along. In relaxing into conversation, I had almost forgotten my mission, and now was my moment, so I opened my mouth. “Oh, before I go, Mr. Gibson, I have a very special request...” I explained how I couldn’t get my hands on my book, that I was an aspiring writer, and how much his work meant to me. He smiled, took the little piece of yellow paper from me and signed it, “The Official William Gibson Emergency Post-it.”

What makes me so special? Nothing, kid. I wanted something. I wanted it real bad. And if you want something, you gotta take that risk. You gotta open your mouth and ask. Your heroes? They’re just humans. Talk to them. Ask a question. Something good might happen.

Amelia Shackelford is a graduate of the Georgia Institute of Technology with a degree in Science, Technology and Culture. Her work has been featured in print in the Edge Science Fiction and Fantasy anthology Opus 3 and The North Avenue Review. She's also been published online in Monkey Bicycle and RUMBLE Magazine. You can also look for Amelia's work in the forthcoming Sybil’s Garage No. 7. Amelia currently splits her time between writing, serving coffee to the masses and answering the question, "So why did you get an English degree from a technical institute?"