Pages

Thursday, February 07, 2019

Review: Tribe of Hackers

I'm not a hacker.  Yes, I'm intensely curious about technology, and in particular, computing.  However, I don't consider myself a "hacker", in the sense that the term began to be used in the mid- to late-'90s.  That is, the term was co-opted by marketing teams and became somewhat equivalent to "pen tester", and even began to be distinguished by prepending it with "ethical".  No, I've been on the defense/investigation side of the infosec community for most of my career. But I still downloaed a copy of Marcus and Jennifer's book, Tribe of Hackersthe other day and so far it's been an enjoyable and extremely insightful read. 

First, let me say that I like the idea that Marcus found something that impacted him while reading another book (Tribe of Mentors) and wanted to replicate that himself.  I did something similar in my book, Windows Forensics and Incident Recovery; in chapter 6, I tried to replicate the methodology for developing and building a process, based on The Defense of Duffers Drift, originally written by MajGen Swinton in 1904.  This book was required reading during my initial training as an officer in the United States military, and I still remembered the approach years later when I wrote my book.  I mention this because this is something Marcus states on the first page of the introduction to the book; as such, it's one of the first things I read, and it's the first thing that really resonated with me.  So here, I feel as if I already have a connection with Marcus, in that 15 years later, his approach validates my thought process.

Before I continue, there's something I wanted to get out of the way.  Yes, I read more than the introduction (much more), and as such, I recommend that not only do you read this book, but that you also strongly consider taking the time to answer the questions posed yourself, and perhaps even take a step beyond that and share your responses.  You can do this through a blog post, or take it one question at a time on LinkedIn, or simply use whichever medium with which you're comfortable.  I'm positive that not only will you find something in this book that resonates with you, someone with whom you connect, but if you share your responses to the questions posed in the book, you'll connect with someone else, as well.

Next, I found the book well-formatted and well-structured.  Yes, the approach is one of structured repetition, but in some ways, I think that's a good thing.  It gives a format to the approach, rather than just a free-form flow of disparate ideas.  I've seen what happens in the community, particularly at security conferences, when there's no structure and "famous" people are given a time slot and an open mic.  Hint: it doesn't go well.  The format used in the book lets the reader do something of an "apples-to-apples" comparison between respondents, as they each answer the same questions, albeit in their own way.

The book does not contain technical content, per se.  It's content is the views, opinions, experiences, reflections, and back-stories of those who responded.  If you're somewhat experienced in the information security field (say, 5 years, or more), you'll find a good bit of validation in what you've been thinking in this book. If you're new to the field, I really think that this will open a door for you.  The first thing most people will really see when they flip through this book is the pictures.  The idea of adding pictures of the respondents humanizes their words; pretty much anyone who picks up this book is going to see someone who looks like them.  This then gets them to take a step further and read the words; given the breadth of respondents, you're more than likely going to find someone in the book with whom you share a common background.

I don't recognize most of the 70 names in the table of contents; of those I do recognize, I've never met them in person, face-to-face.  We may have seen each other at a conference, in passing, but beyond that, I do not profess to "know" any of those who shared their background and insight.  But that doesn't mean that I don't find value in their words. 

This book can also presents challenges for those new to the industry; in several instances, the recommendations include "keeping up on the latest things in the industry".  In this day and age, that's almost impossible.  Looking at the backgrounds of many of the respondents, someone new to the industry, or looking to move into this sort of work, may find it intimidating.  Remember, many of the respondents have been around for a while, and they had to start somewhere.  Many, like me, started well before there was classes or courses of instruction available in any of their areas of expertise.  Some may have seen a need and moved to fill it, while others picked a direction and began the process of building knowledge in that particular area.  In short, they all started somewhere, so don't let that intimidate you.  Don't look at what they've achieved and think, "oh, I'll never be as good, as smart, or as capable as they are..."; instead, take the first step.  Don't look at where they are now as the story, consider where and how they started out and consider the journey. 

At this point, I have not read every chapter of the book; I'm still working through it.  Sometimes I'll open the PDF and read for a while, other times I'll pick out a name and just read their responses.  However, I wanted to share my thoughts on the book now, because I knew that if I forced myself to wait until I finished the book, I might never write my thoughts down. 

Interestingly enough, with all of the different backgrounds and beginnings described in the book, so far, there's one common theme I've picked up on...people.  In short, if you isolate yourself in this industry, you're obviating your ability to grow and progress, regardless of where you want to go.  However, if you actively engage and develop those "soft skills" that are referred to more than once throughout the book, that's the key to growth and progression.  This is not a purely technical profession; at some point, you're going to have to engage with someone, be they a team member, manager, or customer.  In many cases, you're going to have to harness all of your technical capabilities and communicate with someone who's not technical at all, be it through reporting, a presentation, or just talking. 

This theme continues to manifest itself, even from a technical perspective.  If you're into pen testing or web app testing, "the Googles" are only going to get you so far.  However, actively engaging with others is a force multiplier; more often than not, I know I've come away from a conversation with even just one person where we've actively engaged and come up with something much greater than we each could have on our own.  And we see this repeated time and again throughout the book.  Many (and when I finish reading all 70 chapters, I'm sure I'll be saying "all"...) of chapters include testimonies where active engagement with others has made the difference.

What does this book get me that I couldn't get someplace else?
This book provides something of an inside view into the considered thoughts of others in the industry, those who have gone before and in some cases, laid the groundwork and foundations for where we are today.  You only get so much from presentations or media sound bites; this book provides a deep dive into the minds of some who are not in the industry for the media presence or notoriety. 

Kudos to Marcus and Jennifer, and to all of those who were involved in this book.  Thank you so much for the time and effort you put into it.  Interestingly enough, I see this as just the first edition; in as short a time as two years, there could be another 70 or 100 respondents, and then at five years, another 100 more; by then, many of the respondents will be including, "...when I read the first edition..." in their words.  Great work, folks!

No comments:

Post a Comment