Sunday, August 10, 2014

10 Years in Infosec: The Obligatory Blogpost

I didn't intend for the face to face meetup I had with the BBC to turn into some sort of  gonzo summing up of the last ten years of my life, but looking at it - with pictures of Batman and giraffes as you scroll down the page alongside tales of Chunkylover and the Nigerian Astronaut it's difficult not to feel that your life is pretty weird.

Ten years in infosec is nothing, really, given many people have done it for that length of time three times over or more. But when you thought you'd be getting paid money to make bad movies or paint pictures riffing on the best aspects of high renaissance art via comic book sensibilities, it feels a lot longer. I'm a "Veteran" now! I'm old! I might grow a beard!

I'm still pretty new to the infosec scene, but I think I earned my blogger Vet stripes thrashing it out with all those incredibly rich Adware companies of old at a time when hardly anyone else was, and in very public fashion I might add. I also managed to find a near endless stream of "really bad things" (TM) and shone a light on lots of terrible people and practices, which can only help people in the long run so I'm happy with that. I tell you what, that was probably more use to people than me making yet another bad film or a painting of some dudes with their weenies out.

I might still do the painting, whatever.

The one thing I have learned, above all else, is that there is no bigger challenge than sitting down and hammering out a non-stop wall of text spread out across ten years. Ten years! I never thought I'd be doing anything for ten years. I actually often feel like I could have written more blogs and entries and talked about more threats, but unfortunately I run out of hours like everybody else.

A moment of silence, please, for all those infosec bloggers down the years who either stopped or (in one sad case) went missing - writer fatigue and burnout is a very real problem, and when you're trying to hammer out new research info in a field where last week's news is as good as something that lumbered out of the Dark Ages, it's quite a problem.

Writing opinion pieces on anything is hard. Finding new threats and scams to write about on a daily basis, and trying to do it differently every time, and attempting to talk about things that others aren't already covering, is hard. When I look how many research pieces I've put together, more often than not based on something I found, analysed and then bashed into something approaching readable words it's quite the eye opener. I'm genuinely surprised how much I've done.

This isn't everything by a long shot, but as a random sample: 105 blog posts in 2007, 254 in 2008, 208 in 2009 via the old Spywareguide blog. Think about how many research posts someone can get out in one week - from what I see, it's usually about 2 or 3. One time I discovered and then wrote about 43 things in one month. Which is, by all accounts, completely insane. At the same time I was cranking out up to 30 or so posts a month - often on different threads of research - on my personal blog, for about six years. That personal blog finally died sometime in 2010 when I realised I was blog typing my way into an early grave with anything up to 50 posts a month. Whoops.

The words still keep coming, as I leave FaceTime and move to Sunbelt / GFI Software / ThreatTrack Security. As the blog kept changing and moving home, it's difficult to work out exactly how many pieces of research I put out but - and this is a rough guesstimate - around 283 blog posts on the Sunbelt / GFI blog between 2010 and 2012, then somewhere in the region of 100 posts for ThreatTrack between March and November of 2013.

In December, I moved over to Malwarebytes and just realised I have hit 100 posts in 9 months. I think that's pretty good!

All those words end up helping lots of people and steering them away from bad things. We also get to shut a lot of those bad things down and hand out digital hi-fives every now and then. That's good too.

The technical process for shaping those words is an ever changing sea of "what next?" Too many sentences and paragraphs, you lose your point. Not enough, people may assume what you're talking about doesn't matter. I have written long blogs, and will continue to do so when absolutely necessary but I do try to avoid where possible. I'm always looking to remove a sentence, a paragraph, will happily write 300 words then delete the lot if it looks like it isn't needed. I don't need to throw out thousands of words on something when I can get a perfectly functional entry out the door in half the time. 84 words! That's like four sentences! Awesome.

Of course, the reader doesn't need to care about the technical junk behind the crafting of the blog - though I will be giving a talk at a University on that very subject in December (oh my God, I am old!) - but it is something to think about.

Me, I'm thinking I'll hand myself a short pat on the back for having bludgeoned my way through 10 years of sleazy Adware vendors and an endless parade of scams, files and other shenanigans and come out the other side mostly intact and get right back to it.

Also that monster nudie painting is totally going on the wall above the TFT.

1 comment:

Rob Newby said...

As one of those bloggers who disappeared, I salute you, not just for your longevity, but your tenacity. I was asked to cease and desist by 3 employers, and didn't even try when I moved into government work. It takes a carefully trodden line to stay relevant without revealing trade secrets.

I still write a lot these days, but for journals and internal awareness at my current employer. I would need an extra pair of hands to keep blogging. Notably my last post appeared before the birth of my first son. Number 3 is due in 2 months, think I'll stick to the comments.

Keep it up matey!