The final interview of this week is with Rob “Mubix” Fuller. I first met Rob at RSA 2009 and we hung out the whole conference. Interviewing Rob was difficult as he doesn’t (and isn’t allowed to) talk much about his day job but I did manage to get some information out of him.
Q: Tell us a little about yourself.
I’m a United States Marine assigned to 1st Civ Div. I have an amazing family, I’m a extremely proud father and I love what I do for a living, not much more to tell.
Q: How did you get interested in information security?
You can find the long drawn out story of that on Episode 9 of the grmn00bs podcast, but it boils down to `init 6`, game genie hex editing, being an open relay for Korean spammers, and Hak5. http://www.grmn00bs.com/2009/12/16/podcast-episode-9-when-they-were-n00bs-with-rob-fullermubix.
Q: We see a lot of ex-military getting into private information security roles these days. In your opinion does a military lifestyle foster the learning required for a long term career in information security?
That’s a really tough question to answer. I think that it really depends on which country’s military you are talking about and which section/service/faction of that military the member is from. Everyone has different experience in the military. However, my personal experience in the United States Marine Corps definitely altered my battle mindset, and increased my strategic awareness.
Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?
I don’t really have any certifications that I would like to mention, I think they are useless unless you are job hunting and I absolutely love my job. I would however like to scream great praises to muts and chris over at Offensive Security. The Pentesting with Backtrack (used to be OffSec 101) course was amazing. It sparked a fire in me that revitalized my thirst to learn that has been going strong for now almost two years after I took the course. When it comes to self-learning, I’m not really sure how to classify or answer that other than… yes.
Q: What did you want to be when you grew up? Would you rather be doing that?
A father. I was an odd kid, by the time I was a teenager I knew that I wanted a family, and that really was the only vision I had for my life. One might say that is thinking small or short sighted, but I pose to anyone who thinks that to ask any parent on the planet what their greatest accomplishment in their life is.
As far as job/career, I always knew I would be doing something with computers. I didn’t care what then because I knew that it would be constantly moving and growing. That is what really draws me to computers and more specifically security these days.
Q: What projects (if any) are you working on right now?
I’ve got one big project that I’ve been working on for a couple months now. I’m currently debating on how to release the details, but I have a ways to go before I have to decide anything. Some of the projects that I’ve done in the past is starting up a project called FireTalks, which is happening again at ShmooCon this year, along with the annual Podcasters Meetup. Grecs from NoVAInfoSecPortal.com will be running the FireTalks this year (http://www.novainfosecportal.com/2010/01/06/shmoocon-2010-firetalks/) and Tim Krabec from http://smbminute.com/ will be championing the Podcasters Meetup this year (http://www.podcastersmeetup.com/)
Q: What is your favorite security conference (and why)?
ShmooCon. I could name a number of reasons, but I think the brass tax truth is that it was my first one. But to put it all in perspective, I’ve only really been to RSA, DefCon, Phreaknic, and ShmooCon.
Q: What do you like to do when you’re not “doing security”?
At the fault of @cktricky I’m currently addicted to Call of Duty: Modern Warfare 2 (Steam). But spending time with my family is always on the top of my list. Other than that I don’t really have any others
Q: What area of information security would you say is your strongest?
I’d love to say Penetration Testing, Information Gathering, Reverse Engineering, or Exploit Development. However, a talent that I’ve always had out weighs all of those. Extraction. I can read or listen to something and extract what is important. To try and clarify, I’ve always been ‘the guy’ that knew what was going on, where things were, or how to do something. For example if you need a piece of software to do $function, I knew the best one to use, and the best way to get it.
However, this ‘feature’ is also a bug, it makes it extremely hard for me to read technical books since my mind will throw out what it doesn’t think is important (ie something that “will be explained in chapter X”). In other words, I have to understand every word or I can’t go past it. I only recently found that reading backwards (sort of, chapter count backwards, 12, ,11,… 1) works for me.
Q: What about your weakest?
Hands down it’s Cyptography and Exploit Development. Higher math kills me, Chris Eng has been a huge help there, with his presentation on Cyptography for Penetration Testers (http://video.google.com/videoplay?docid=-5187022592682372937#). But I am still extremely far of from just comprehending anything but the basics. Exploit Development is my current field of study, but each day of study I realize how very little I know.
Q: What advice can you give to people who want to get into the information security field?
First and foremost, checkout Dave Shackleford’s post titled: One for the n00bs over at http://daveshackleford.com/?p=277. He’s pretty much said everything I would say. But I would like to drive home the point that since security is still so new, you have an up hill battle to get people to adopt “security”. Just last year, my time deploying VMware data centers came in extremely useful when a client wanted to dispute some findings in a Vulnerability Assessment. However cliche it is to say, security _professionals_ are required to be jacks of all trades. Basically at a minimum, par experts in every piece of gear in their purview. So getting back to the point, get the experience, and security will just kinda.. happen.
Q: Our industry has a lot of people who tend to “grandstand” for the press and peers. Can you offer any advice on how to avoid falling into this mindset?
Nope, I think the people who would fall into that mindset need to learn the hard way, myself included.
Q: How can people get a hold of you (e.g. blog, twitter, etc.)
Twitter at @mubix, my site Room362.com of which I share with a few folks now (always looking for help on a permanent or guest basis), mubix@hak5.org and (503)-406-8249
As a special part of this interview I’m going to post the following picture. For those of you who know Rob you can ask him about the meaning at Shmoocon this weekend.