Kicking off the Information Security D-List Interviews is Paul “PaulDotCom” Asadoorian. Paul gave me the opportunity to pick his mind via email and IM over the past week.
Tell me a little about yourself.
I live in Rhode Island, and have all my life, where I have always been a computer geek and lots of other things. I started programming when I was 7 years old on the Apple IIe computer. I’m somewhat of an over achiever and earned the nick name “Salad Shooter” shortly after I founded “PaulDotCom”. My first real job in the industry was an intern for a small software company. I did some programming, but my primary job was “Backup Boy”, or “BUB” for short. As the “BUB” I had to go around to all of the development systems and perform backups. Keep in mind this was well before USB thumb drives, and involved magnetic tape drives, pliers, screw drivers, and DoS like commands on a PoS specific operating system (IBM 4690). I am thankful for all that I learned and appreciate things more getting my start at the bottom (I mean it doesn’t get any more bottom than being called “BUB”).
Currently I am the “Product Evangelist” for Tenable Network Security. Its my job to use the products in real-world environments and tell people about the features and use-cases. For PaulDotCom, I produce and host the weekly “PaulDotCom Security Weekly” podcast, which now includes both audio and video. I also participate in our security consulting work, performing penetration tests and web application assessments.”
How did you get interested in information security?
I was working as system/network administrator for a small company, you know the right of position where you have to know something about everything (UNIX/Linux, Windows, Networking, Printers, phone switches, etc…). I started to grow tired of Windows and was beginning to work with Linux (I installed Red Hat 5.2 from floppy disks). I appreciated the control, but knew that it came with great responsibility when it came to security. My friend’s computer had gotten hacked, so it got me curious about security. I started to secure computers in the office with mixed success, some would be fine after system hardening, and some would not function as well. This proved very challenging and really started to become a focus in my career. I left that job and took a full time position as a UNIX systems administrator, primarily Solaris. After working there from some time two things happened that put me on the track for security: 1) The firewall admin got sick and I took over firewall maintenance for several Checkpoint firewalls 2) We had to undergo a security audit and I was tasked with hardening our 20+ UNIX systems. I’ve never looked back and made security the focus in my career ever since!
What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?
Certainly, I have a Bachelors of Science in Information Systems, with a strong focus on business (I graduated from Bryant College). I’d say that my computer courses helped me to fill in the gaps of everything that I learned on my own and on my job. I also earned two SANS level certifications (before there were silver and gold), which was very rewarding and really helped my career. I believe that certifications are valuable, especially when you are starting out. For me, it helped me learn and apply so much to my career, even more than it was a resume builder. Certifications are what you make of them, and I did my best to make the most of them by studying hard, creating a lab at home
What did you want to be when you grew up? Would you rather be doing that?
I so wanted to be a baseball player when I was growing up. I don’t think that would be the best career for me now, especially seeing as I wasn’t always very good at it! If I had to choose a new career it might be as a martial arts instructor, fishing guide, or furniture maker.
What projects (if any) are you working on right now?
Well, there is the usual stuff I have going on at PaulDotCom. We are working hard to expand and grow in the areas of Internet radio and Internet TV. My other research project that I will be embarking on soon has to do with embedded systems. I did a lot of research on the embedded side, and even some presentations on the security aspects. I’ve let it rest for too long and want to get back into it. I don’t want to give it all away, but the goal is to raise awareness on how widespread and dangerous embedded security problems are today, and how its only going to get worse, not better.
It looks like you’re invovled in a lot of projects. How do you balance family time with project time?
I think the answer you will hear from many of us is balance with work and family life is a constant struggle. I’d say that sometimes I do it really well, and other times I fail miserably at it. I always try to learn from each experience and try to get better at time management as time goes on. I think I’m getting better, my family may have other thoughts 😉
How do you guys come up with “themes” for the podcast?
At this point it really happens very naturally. I think in the beginning we really had to struggle to come up with content, such as stories for discussions and technical segments. We did a lot of listener feedback in the beginning as well. Since then we have made the technical segments a formal part of the show, and try to do at least one per episode. A technical segment is a “How-To”, including audio and a wiki page entry, explaining to the audience how to do something technology or security related. We draw on our experiences, so its usually whatever we were working that week. The Wiki has also been a tremendous success, as we create a wiki page for each show and document the tech segments, interview questions, and stories for discussion each week. I can’t imagine trying to produce a show without the Wiki
technology! Overall, we try to focus on whats happening in information security, but without being the “accident jumpers” of security media. For example, we like to have on guests that are maybe not so well known, but are the true “rock stars” of the industry.
What is your favorite security conference (and why)?
Just like beer and cigars, its tough to have just one. I really like Shmoocon and Defcon, they are fun in their own unique ways, so I always make sure myself and the entire PaulDotCom team make it out to both events. I meet so many cool people and share new ideas at those two conferences especially.
What do you like to do when you’re not “doing security”?
I of course enjoy spending time with my family (they call me “Clark Griswald” around this time of year). My non-tech relaxing hobbies include fishing from my small freshwater boat, and smoking cigars (preferably fishing while smoking cigars). I also practice martial arts, including Kung Fu and Tai Chi.
What area of information security would you say is your strongest? What about your weakest?
I’d say I’m the strongest in penetration testing and network security, and a splash of embedded systems knowledge. My weakest area is probably deep, in-depth system forensics, I know enough to get by, but its not my area of specialty.
What advice can you give to people who want to get into the information security field?
Wow, that’s a loaded question! I’ve been asked this question many times, and discussed the topic on the PaulDotCom show a few times as well. I finally made a blog post which goes through in detail how I recommend people get their start in information security.
How can people get a hold of you (e.g. blog, twitter, etc.)
My blog is http://pauldotcom.com, but its not just me who blogs, it’s the entire PaulDotCom team. I am also on Twitter as @pauldotcom where I can be found announcing various PaulDotCom things, talking about cigars, information security, and keeping others in check 😉