Information Security D-List Interview: Ben Jackson

benToday’s interview is with the Defender of the Commonwealth, ham radio twit, and surly security guy – Ben Jackson.

Q: Tell us a little about yourself.

I’ve always referred to myself as “just another geek from Boston” as we seem to have our fair share up here. I’ve lived in Massachusetts for all my life, the first 25 or so years in Lynn, about 20 miles north of Boston, and now in New Bedford, about an hour and a half south. My family bought our first computer in 1991 when I was 11 and I have been addicted since. When my family went online in late 1994 on this then brand-spanking new thing called the “Internet” and it’s been a downward spiral ever since.

Currently I work for the Commonwealth of Massachusetts as a Senior Information Security Engineer. Laugh all you want about Government jobs, I’m lucky to work with a talented group of people and it still gives me the warm fuzzies to work in the public sector.

Q: How did you get interested in information security?

I think I can trace my beginnings with security when I was in college. First, my college had a fairly… permissive firewall ruleset on the Academic network and if you were running a Linux server on the network you got a lot of attention from folks all over the world. If you didn’t quickly learn how to secure your computer, you would soon have a lot of extra accounts. Second, at my co-op job, I was tasked with evaluating, installing, and maintaining the new centralized AV server. This caused me to start looking at BUGTRAQ and Full-Disclosure. Finally, my senior year the computer science college at my University started running a twice-yearly CTF competition and I dominated both contests. This kind of made me realize that I might have a knack for this.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I have a BS in Computer Engineering Technology from Northeastern University (Go Huskies!) and I hold GCIH and GIAC Silver certifications form SANS. A Professor at college said that in the computer field, all a College degree means is that you are willing to work at something for 5 years. I really didn’t learn much from classes in college regarding InfoSec but it did provide a lot of opportunities via my co-op assignments and extra-curricular activities. The SANS certifications were good and I recommend them. They were an excellent mix of hands-on and textbook. Getting the certifications were a two-birds-with-one-stone kind of deal for me, as not only did they show to others that I knew what I was talking about, they also proved to me that “Hey! I do know that stuff fairly well!”

Q: Do you find it difficult to “sell” information security in the public sector? What are some of the biggest barriers you encounter?

Thankfully, No. I was lucky. I came on board with my group when the new Administration came in and they took information security seriously. I am pleasantly surprised as to how many of the groups are “drinking the Kool Aid”, working with us, and baking security into their processes.

Q: What did you want to be when you grew up? Would you rather be doing that?

Easy question: I always wanted to be a firefighter. While I think that my current job has similarities, there is a slight difference between racing into a burning building and fighting a virus outbreak. I guess this is why they have a sweeter ride.

Would I rather be doing that? I guess I can call it my fall back career for another year as I think the application cut off is at 30 years old, but I don’t think they’d want someone who doesn’t enjoy heights.

Q: What projects (if any) are you working on right now?

My free time for projects took a dip 8 months ago when my wife forked our child process. I still try to find free time to muck about with fun toys. I maintain an Amateur Radio version of the Security Twits list called “Ham Twits”. I’m also in the process of trying to take some projects that have been on the back burner for far too long and breathe some life into them such as a simple windows based forensics tool.

Q: What is your favorite security conference (and why)?

DEFCON. I made it out to Las Vegas a couple times for DC12 adn DC13 and I always miss going when it rolls around. I feel it a really good mix of infosec, a social weekend, and booze.

Q: What do you like to do when you’re not “doing security”?

I am a new daddy so I’ve been slowly figuring out that role over the past year and loving every moment of it. I also am fairly active in amateur radio and enjoy a good book. Another strange hobby of mine is mess around on the telephone and calling numbers just to see what happens.

Q: What area of information security would you say is your strongest?

I’m pretty good at web application penetration testing and interpreting network traffic.

Q: What about your weakest?

Everything else? One thing I really wish I was better in is finding vulnerabilities exploits in applications that aren’t web based. SQL injection and XSS are cool, but there always seems to be some kind of heavy magic in work with shellcode and buffer overflows.

Q: What advice can you give to people who want to get into the information security field?

Learn how to write and how to explain yourself. 90% of your job in information security is to convince people your right. If you can pull this off, you’re going to save yourself hours of headaches.

Q: Are you at all worried about what the state of security will be when your son starts getting “online”?

Yes and No. I worry more about trying to walk the fine line of letting him get online and not having him shoot himself in the foot (or worse, shoot me in the foot) in the process. How do you teach a youngin’ about not clicking suspicious links, disabling Flash, or mitigating the latest 0 day? Should I start working “adjusting AdBlock and NoScript settings” between ABCs and sandbox time?

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

I have a blog at http://www.innismir.net and am active on Twitter on @innismir. There you can find me pontificating about InfoSec, Amateur Radio, and whatever else floats through my head. Also, just to be different from everyone else who may answer this, you can also find me on the 146.775MHz West Bridgewater, MA repeater every morning when I commute.