Category: Interview

Information Security D-List Interview: Rocky DeStefano

rockydToday’s interview is with SIEM master Rocky DeStefano. Rocky is one of the (if not THE most) well respected SIEM experts on the planet…though he’ll never admit to it.

Q: Tell us a little about yourself.

I’m a Christian and I’ve been married to my high school sweetheart for nearly 17 years. I’m the father of 4 wonderful rugrats/mutants (at about age 12 they complete the transition from rugrat to mutant). My wife is a MFM (High Risk OBGYN) Doctor here in Austin,TX and my kids are a hell of a lot more intelligent than I am. Everything I do is an effort to make life more fun for my family.

I’ve been playing with technology for as long as I care to remember. I was playing computers all the way back in elementary school – just as my kids do now, though they have much cooler computers than I did. For the majority of the last decade I’ve been involved with SIEM and Log Management solutions in the context of security operations and incident response.

I’m motivated by seeing others succeed and knowing that in some small way I helped to enable that success.

Q: How did you get interested in information security?

Divine intervention. I entered the USAF “open/general” meaning without a plan other than to serve my country. I took a battery of placement tests and somehow talked my way into the intelligence field. From there things fell into place for me. Let’s just say the Intelligence community took a young inquisitive mind and added analytical rigor and focus on a mission. Once I left active duty I moved over to AFCERT and found even more ways to stretch my mind with real-world application working alongside some of the best security professionals on the planet!

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I have mainly learned OJT through real world successes and failures. I’ve been lucky enough to be surrounded by some seriously brilliant people of the years who took pity on me and provided serious mentorship.

I do have the prerequisite industry certifications although there current usefulness is questionable. Certain contracts I was on required them so I spent an hour or so studying and took the tests and put the rest of the paperwork together.

Biz/Mgmt Training: I’ve attended several hundred hours of management and business training courses over the years through both university and commercial offerings. I’ve also run my own businesses or major aspects of other businesses so I’ve had years of OJT. Spending your own money really helps you appreciate the finer points of getting business buy-in on IT Security spending. The best management training was to allow myself be managed and learning from those around me. I’ve experienced the best and the worst, but I’ve always learned important lessons. I look at every interaction I have with people as an opportunity to learn, about them, about myself or about whatever subject we’re talking about.

Technical Training: I’ve had a significant amount of technical training on everything from stuff I can’t talk about to the normal vendor training. From the self-training aspect – I still maintain a fairly extensive lab at home (17+ physical machines), though I moving much of it to Go-Grid and Amazon or consolidating older machines to VM’s to host on my Mac Pro. I love learning and try to find something new to learn (or teach) every day.

Q: What did you want to be when you grew up? Would you rather be doing that?

I probably would have been a Hitman or if I had learned to listen to my conscious I would have been a Cop/Federal Agent. Some days I can honestly say that I’m not sure which way I would have leaned. I also realize that I’m still growing up (ask my wife she’ll be the first one to confirm that statement) so I might wind up in an entirely different place 10 years from now. We’ll see.

Q: What projects (if any) are you working on right now?

I’m launching my company VisibleRisk and its associated blog and podcast. The company is focused on overall intelligence for enterprise focusing on more than just point product analysis, increasing the visibility of the actual risk the company is facing. Not in terms of an assessment, but from the perspective of what an intelligence analyst would present based on all source data and broad context.

I’m also working on creating solutions to support SIEM (tools Like ArcSight) and network analysis tools like NetWitness by providing or using intelligence feeds and making available updated contextually relevant content. Basically, subscribe and receive daily (or at least very frequent) content updates – I call them detection profiles.

The podcast is about sharing information, pushing ideas further and letting everyone listen in. It’s about the subject matter and the participants, not me.

Q: What is your favorite security conference (and why)?

I tend to prefer smaller more focused activities – IANS Forums are a treat for me because I get to facilitate some awesome discussions. I really enjoyed the recent SANS What Works in Incident Detection Summit. I loved SOURCE Boston last year it was absolutely fantastic, intimate and the quality of the presentations was amazing.

Of course I do wind up at BlackHat/DefCon and have fun catching up with everyone and to be honest I enjoyed myself at RSA this year. Experiencing a conference like that from a “press” perspective is so much different than participating as a vendor.

Q: What do you like to do when you’re not “doing security”?

Wrestling (mentally and physically) with my kids. There is nothing I’d rather do than spend time with them. I learn so much from them and am amazed by them. God help us all when this generation takes over, they are even more impatient and sarcastic than I am.

Q: What area of information security would you say is your strongest?

Analysis is my strongest area, which means tools like SIEM and Network Analysis tools come very easy to me. I’ve enjoyed some success and endured a lot of learning opportunities at the hands of some of these products over the last decade. I also have a talent for bridging the technical and business gap in communications. Being “hands-on” from both perspectives allows me to fit natively in all aspects of that discussion.

Q: When deploying a SIEM solution in a new environment, what are some of the things people should consider or plan for?

I’m way to verbose on this topic. First I’d point them to my blog, simply because I’ve spent years trying to get the information out in a helpful manner. To summarize it, if they know they NEED a SIEM then they should already understand their use-cases. If you understand your use-cases then the data inputs, correlations, reports and users are already defined and your SIEM deployment will fit into your operational model. It will take work but it will be successful. If you do not know your use-cases and you buy a SIEM it will take more work, cost you excessively and the project will probably never be integrated as well as it could or more likely just fail.

Q: What about your weakest?

Weakness? I have to admit a weakness? Ok… I have a habit of personally taking on way too much. I like to solve problems that are way over my head – but sometimes I can take on a few too many of them at once. This is primarily due to a lack of patience (I see a problem and it needs to be fixed) or sometimes simply thinking that I can still work 30+ hours straight without sleep and/or food. Another “weakness” is that I focus on people, I care deeply about those that work for me and for those I do business with. I don’t see this as a “business” I see this as my life and enjoy the people interaction and the focus on the mission we are trying to accomplish a lot more than the personal financial aspects, which in the end is why I’ll never be a billionaire.

Q: What advice can you give to people who want to get into the information security field?

Find a mentor/peer or 12, use them to keep you sane and on track. One small example: There are several of us that share blog posts ahead of time to refine them and make them relevant and engaging for the reader.

I also maintain a network of very senior people across the industry that I trust. I seek their input them about every major career decision I make. Sometimes I even follow their advice, but I always appreciate the fact they are willing to listen and offer assistance. You can’t do anything meaningful in this field alone. Most of us are on the same team and are willing to help out – you must seek it out and be willing to hear the honest truth when you do reach out. I mentor others and enjoy the the mentorship of others. My role is simple – Learn as much as I can and then share my knowledge and experience so that others can go further.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Twitter: @rockyd

Information Security D-List Interview: Jackie Arlen

jarlenYou know her as the old man serving coffee but “Security Intern” is actually…..a woman! That’s right! Not only is Jackie “Security Intern” Arlen is a real person but she’s agreed to be interviewed for the D-List.

Q: Tell us a little about yourself.

I am the security intern at Liquidmatrix Security Digest, however I am currently on hiatus as I went from part-time to full-time student last fall. I miss contributing more than I imagined I would. New semester, new schedule, I’m hoping to fit in a day or two a week again. In addition to that, I’m a mom and a person who teaches, learns and shares.

Q: How did you get interested in information security?

People contain information. Loads of information. People interest me greatly. And I’m surrounded by smart people who hold important information. I am also surrounded by dumb people who hold even more important information. I’m interested in helping the first group excel and succeed and ensuring that the second group are well contained and effectively managed. I suppose that really means “human resources”, actually, and I think there is a fairly large contingent of people in information technology who would like to deal less with traditionally educated human resource type folks. I am fairly certain that is where my future lies. The kind of specialist who can mediate and integrate smart technical people with organizations who need their smarts.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I am currently working on my undergraduate degree, though I do have 40 years of life experience. I believe that because I’m focusing more on people hacking that I do need formal education to get my foot in the door. From what I’ve witnessed however, people don’t necessarily need a Comp Sci degree to make a name and place for yourself in information security. Ultimately though, parenting has taught me much about how to manage people, especially those who persist in acting like children after they have offices and suits and shiny computers.

Q: What did you want to be when you grew up? Would you rather be doing that?

Oh brother. Shoot me. Nao. I wanted to be an accountant. Or rather, I thought I did. That said, I was far more interested in playing euchre in the student center than I was attending any of the pre-requisite courses for accounting in university. Turns out, one cannot earn credit for garnering both bowers and going alone. So now, 20 years later I’m continuing that education but in a different direction. I’ve never really lost the desire to create order from chaos, and isn’t a project team just like a shoe-box full of receipts at tax time?

Q: What projects (if any) are you working on right now?

My degree is the big one. And finding my niche. Also, I need an original idea or ten and a thesis to follow. Oh, and training a cadre of miniature hackers suitable for deployment in any situation requiring equal parts social engineer and cuteness.

Q: What is your favorite security conference (and why)?

I think that because Notacon (Cleveland, OH) was my first conference, it’ll always hold a special spot. I like it’s intimacy and the variety of content. I really enjoyed DefCon though I was at times a little overwhelmed by the sheer volume of people there. Ask me this question again in a few weeks after I’ve had a ride on the mechanical moose at Shmoocon.

Q: What do you like to do when you’re not “doing security”?

Parenting, homework, DDR,, scrabble, fighting the laundry pile, the twitter and it’s internets and watching movies.

Q: What area of information security would you say is your strongest?

The hacking of the people. Social engineering. For certain.

Q: What about your weakest?

Every other.

Q: Can you share with us a story of your social engineering prowess?

I’ve always been able to tell a convincing story. Ditch day comes to mind, I assured my Mom I was not one of the 4 people in the bank on ditch day… but I digress. One of the earliest and most memorable occurred after a football game when I was in high school. Earlier in the week, a friend and I had been to the Army Surplus store and bought neon orange construction vests and hard hats. That Friday evening just before the game was over, we parked our cars perpendicular to the intersection leaving the school, completely blocking one of 2 roads out of the parking lot. The other road led to the bowling alley parking lot. With flashlights in hand, standing in the middle of the road with nothing other than a sense of mischief to guide us, we directed the entire population leaving the game into parking spaces at the bowling alley. A harmless prank though I learned that night that simply acting the part can reap stunning results.

Q: What advice can you give to people who want to get into the information security field?

Me giving advice is about the funniest concept ever but I will say this: there is a place for everyone. You may find yourself looking in from the outside and having no idea where to start. Make contacts. Contacts are endlessly useful. When you ask a question, shut the hell up and listen to the answer. Seek advice from those smarter than yourself. IE: not me. 😉

Q: This is a fairly male dominated industry. How do plan to blaze your own trail upon completion of your degree and do you think your gender will help or hinder that plan?

I’m optimistic enough to think I’ll do just fine. I’m realistic enough to know that not only do I have gender going against me, I also have age. I’m not a fresh-faced graduate. Some will think that’s a benefit, others probably will not.

When I first began the “intern gig”, people assumed I was male for a long time and I did not dissuade anyone of that. Women face challenges that men do not. As a “young male”, the intern was accepted by most. As an “old(er) female”, I was fairly sure people would view me with a more critical eye and dismissive attitude. Women often struggle to be taken seriously, I’d never been wholly accepted and with few exceptions @securityintern was a trusted entity. That was new for me and oddly satisfying. Having said all that, I have knowledge and insight to bring to the table. I’m also old enough to know that choosing battles carefully is a skill, almost an art-form, and which weapons to use in order to gain ground. New graduates don’t have that. Hopefully, someone(s) will find value in what I offer.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Twitter: @securityintern


Information Security D-List Interview: Joshua Corman

joshToday’s interview is with Joshua Corman. I was introduced to Josh at SANS Network Security in San Diego, CA in the fall of 2009 by Dave Shackleford. He’s a great guy with lots to say about lots of different things.

Q: Tell us a little about yourself.

I’m 34 years old. I live with my wife and 2 daughters in New Hampshire [Live Free or Die].

Security pros didn’t initially know what to make of me – some still don’t. I’m technical, but no l33t. Business savvy, but not a marketing wonk. Mostly, I’m a very effective translational bridge between the super technical and the rest of the world. I was at a BlackHat many years back sitting with some guys from Lehman Brothers. I could understand WHAT was just covered, but could also help them understand WHY it mattered and HOW it impacted their day jobs. Unfortunately, that mix of technical acumen, business savvy, and strong communication skill is far too rare in our industry. In fact you and I probably know all of them.

I am passionate about Security – I see it as both a technically interesting/challenging space, and also a sacred trust / higher calling. I am candid and direct – firm, but fair – critical, but not to be negative. I can sometimes be mistaken as negative, because I start by identifying a problem – but I am a fierce optimist in my actions and in my drive to affect positive evolution. I am big on intellectual honesty. I am a huge advocate for the security practitioner.

I wrote my “Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry” for a few reasons:
1) I felt the “trusted security advisors” had been increasingly abusing that trust.
2) I felt that we had ceased to keep pace with the evolutions in this space.
3) I saw how hard things were getting for the CISO +/- community and no one seemed to be looking out for them
4) I think part of me was trying to get fired… so I could get a breather from Security for a bit.
5) I saw several peers quitting security – and decided maybe I should 1st speak up and try to change things.

Well, I didn’t get fired. And my candor was very appreciated. For some practitioners, I put crystalized what was on the tips of their tongues or just beyond their reach. For others, the discussions fundamentally changed the way they looked at their work. I half expected backlash from some of the vendor community, but none of them could refute anything I was saying – because it was true – and it was fair. In fact, much to my surprise, some of the vendors were very happy that I started this ongoing dialog – they actually agreed.

Beyond being cathartic, the process gave me a renewed conviction and confidence that these challenges [although huge] were possible to fix – as long as we are candid, critical, ask the tough questions, challenge us to evolve, and get people talking.

Silence, Willful Ignorance, and Blind Spots are/were killing a space I am passionate about – so I wanted to motivate us to do just the opposite.

We’ve got to evolve – and we haven’t been. One of the biggest threats to our evolution at the moment seems to be the overall affect PCI DSS is having – but don’t get me started on that… [yet].

Q: How did you get interested in information security?

Well. I have always loved the heros of ancient mythology and modern mythology (comics) – so I’ve always wanted to fight bad guys. My father worked for Digital, so I’ve been around computers since I could walk – and was fascinated by the early viruses. My 1st adult job was at Cabletron, a network company. I got a lot of foundational knowledge and value there, but one of our partners came in one day [Intellitactics] and gave us a “Security Primer”. I knew that day I had to get into Information Security full-time. I joined a start-up doing Behavioral Anti-Malware and was hooked. We were later acquired by ISS [Internet Security Systems] – which gave me more access and breadth. And they were later acquired by IBM where I helped drive the Cross-IBM Security Strategy and had exposure to just about every topic in the market.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

As an undergrad, I initially studied Micro/Marine Biology. I got kind of bored with it, but I was happy to be infused with the metaphors, models, and scientific methodologies. Any fan of Dan Geer knows how useful biology can be in the field of IT Security. I ultimately got my degree in Philosophy. I liked trying to solve insolvable problems. It was great practice for IT Security. Also, I knew that sound logic, analytical structure and writing skills would suit me for anything I tried to do.

Q: What did you want to be when you grew up? Would you rather be doing that?

I wanted to be a Marine Biologist and train dolphins. I love the sea – always have. Over time though, I wanted to write and direct films. Still do!

Q: What projects (if any) are you working on right now?

I could tell you, but I’d have to… Aside from a brand new job at The 451 Group, I do have 2 Security related initiatives cooking. One has to do with the supply side of vulnerabilities. Most of this market is focussed on the symptoms versus the underlying disease. We’re fighting the heads of the Hydra – not its heart. Another effort has to do with the good versus evil side of Security. Security is both a market – and a higher calling. Most do not realize the awesome responsibility that comes with Security. There are very bad people, doing very bad things. Too few of us recognize this – or are willing to rise to meet this sacred duty. What draws some of us to this problem space is somewhat akin to what draws people to be firemen, soldiers, EMTs, etc. E.g. Rich Mogull was an EMT. It is a space in need of Protectors. Some of us are drawn to this because we have a need to serve our fellow man.

Q: What is your favorite security conference (and why)?

Tough one… I’m growing sick of most of them. This space evolves so fast, but the conferences remind me how little we [collectively] are evolving. Of the bigger shows, I guess I dislike DefCon least of all. Some of these smaller shows are a lot more relevant. I really enjoyed webcasts I saw from SOURCE Boston, DojoCon, and BruCon. I’m super excited to do our PCI Debate at ShmooCon in January. I see PCI as a very serious threat to this space. Mike Dahn and Anton Chuvakin disagree. Hopefully we’ll break records for the sale of ShmooBall

Q: What do you like to do when you’re not “doing security”?

There’s life beyond security?!? [kidding]
I love movies. I love music. I love to cook. I especially love my 2 daughters. My personal time often involves 2 or more of these. Then there is also my lovely wife’s Honey-Do list… I had been playing Ice Hockey, but fell out recently due to too much travel. I miss it, I’m hoping my new job lets me get back into it.

Q: What area of information security would you say is your strongest? What about your weakest?

Hmmm. Good question. Tough question.

Strongest: I really feel like I’ve always groc’d the Malware threat domain. But I’ve really moved beyond that. I feel like I’m strongest at pattern recognition. I’m able to see the tectonic plate movements and see where things are going. Most of my higher value contributions in the last few years are looking at the macro issues in the Security space. I don’t look at what people just did – I look at WHY they did it, and predict what is likely to happen next – with pretty good accuracy. I think we’ve got a complex [and highly sub-optimized] ecosystem, so I’ve been paying attention to the major forces that shape it – evolution in Threat, Compliance, Technology, Economics, and Business Priorities. When you see the patterns, you can predict what will happen next, what will work and what will not, and see how we’re failing over-all – as well as figure out how to evolve to approach a better equilibrium.

Weakest: I’d have to say “Identity & Access Management”. In the grand scheme of things, I know it is super important. That said, I’ve always found it incredibly boring. I’m just being honest. Recently though, I’m starting to pay more attention to it – for at least 3 reasons 1) As we embrace clouds, this space gets even more important. 2) I’m eager to see us combine disparate controls for greater security. E.g. WHO accessed WHICH data, via which APPLICATION, on which SERVER, etc. and 3) One of my analysts Steve Coplan has some real mastery and passion for the space, and together we’ve been seeing some of the roles it could play in the future. I mentioned cooking… as an individual ingredient, I’ve been bored by this space – but in the right soup, it plays a critical role.

Q: What do we, as a society, need to do in order to make information security more important?

Very good question.

I’d like to see more varied educational backgrounds enter our field. The most interesting angles I’ve seen often come from the people with atypical fields of study. The new thinkers bring us Economics, Psychology, Sociology, Communication skills, Biology models, Philosophy, etc. Security is far too focussed on technology. The People, Process, and Technology trinity put technology LAST. I think until we’ve embraced and involved people-at-large, we’ll be fighting up hill. I often refer to my mother-in-law in speeches. If my mother-in-law can get it – or carry a security mind-set or “ready stance”, we won’t have so hard a time getting some of our security agendas to make progress. That’s just an example. In general,

Security folks speak in security tech/elite terms. If you want to get executive support, you need to speak their language. If you want a more engaged and aligned government participation, meet them at their level. If you want to take a bite out of eCrime and attacks on the unwashed massed in the “leper colony” of our mother-in-laws PCs, we need to use pop culture and accessible means to raise their ThreatIQ – even 1%. The people who say End User education doesn’t work are usually vendors who want to sell technology or people who suck at educating/communicating. Lame, 10 year old, annually mandatory Flash training doesn’t work – correct. I’ve written about positive examples before – maybe I’m due for this topic again. Quick example though: My hairdresser told me how she saw a Facebook quiz asking 20 questions. She skimmed them and realized that many looked like the kind of personal data that her bank might ask her for security questions. She was so proud that she didn’t fall into answering it. I made her 1% more skeptical – but that’s where it starts. You were with Shackelford and I at SANS when I said he and I should do a series of YouTube videos for the masses… “You can learn a lot about Security from [fill in the blank] – e.g. a Zombie Uprising”. Social Engineering WORKS… how come only the bad guys use it? We have a lot of untapped room for progress if we can make a Stop, Drop, and Roll-like campaign for Internet Safety.

Q: You mention PCI quite a bit in Twitter. What is your feeling on its effectiveness? What needs to change?

Where do I start… I’ll try to be brief. I am very concerned over the unintended consequences and impacts Compliance is having on our space. This is a BIG issue – probably the most central issue in our entire industry. Compliance is the #1 driver of security in our space right now. We have come to fear the auditor more than the attacker. You and I know Compliance != Security. One can be compliant and far from secure. The issue is that the world has conflated the digital dozen of PCI DSS for credit card PII data with industry best practices for all security. People are spending on mandated security – and little else. It was meant to set the minimum starting line, but in a down economy and overly costly/complex market – it’s become the finish line. This is not the intent – but it is the result.

I’ve compared PCI to the No Child Left Behind Act for Security – and the analogy holds very well (rybolov prefers “No Merchant Left Behind”). As an industry, we need to be VERY careful and VERY deliberate about the role compliance should and shouldn’t play. Compliance cannot keep up with [or be an effective proxy for] the evolutions in threat or technology – not with 2 year cycles and minor changes. Jack Daniel put it well, “Security is 2+ years behind threats, and compliance is 2+ years behind security”. But this is just ones issue with it. What’s good is we’ve started some ongoing Adult, Rational debates on this. There is a 2 part podcast debate with CSO and NetSecPodcast. We debated this at ShmooCon and there is a [controversial] video that will be posted soon [we hope]. We’re also doing another panel Wed March 3rd at Bsides San Francisco… maybe even DefCon! The Southern Fried Security Podcast interviewed me this week on this topic. I think it airs as a special episode this Saturday. The important thing is the rational discussion with people from diverse, informed perspectives. It’s advanced my thinking and theirs – we need to keep going. It affects our whole industry.

Q: I saw you launched “Rugged” and the Rugged Manifesto at What is the goal?

Software is modern infrastructure. Unlike steel and concrete, this digital infrastructure is not nearly as reliable. We’ve done a decent job developing tools and frameworks and evolving how we respond to weak software… but we’ve really failed to reach the non-security community. Rugged is a meme – a contagious value set – aiming to make non-security folk understand and value Rugged Software. I was also a little sick of our industry saying developers are lazy – so not true. Developers are talented, professional problem solvers. We’ve done a poor job raising awareness getting people to see why they should care about Rugged software. “Security” has not worked. Rugged is something non-security people are understanding. Programmers can want to be Rugged and write Rugged code. Buyers can demand Rugged Software, etc. We’ve had huge excitement thus far. Oh… and by the way… clearly security vendors stand to benefit from Rugged getting traction, as more people need help becoming Rugged. If all we do is get 1-5% more people to their 1st OWASP meeting – or first Top 10 list… this is how change starts. Last point, there are lots of critics in our space – so there have been some “haters” already. My response is… we all claim we want better security – and for more people to care about security. Is Rugged perfect? Heck no. Is there good intent – and possible promise in it? Yes. I’m asking people to latch onto the good. shrdlu and jjx put it well in their blog posts. Its a baby meme and needs support – but its worth nurturing and pursuing. So decide if you want to help make it better – or tear it down. I’m hoping for the best in our community to be their best and add their influence in a positive direction.

Q: What advice can you give to people who want to get into the information security field?

Hmmm. You need to bring your “P’s” or don’t bother. We need Passionate, Principled, Purposeful, Protectors (nod to Clint). This space is HARD, it is thankless, and it will suck the life out of you if you don’t “bring it”. We’re over our quotas for whiny, mopey, entrenched, sedentary, defeatists. Lead, follow, or get out of the way. Also, you need to be able to thrive on change. In a space that changes CONSTANTLY, our current ranks are often incapable of changing. Yes, “change == risk”, but guess what folks… we’re surrounding by it. Do the Evolution! So we need fresh blood – and if you fit the bill, please join the ranks.

Q: What advice do you have for technical people who want to move into an analyst or researcher role?

I will say that we need fresh voices and people will to dialogue and tackle the tougher, central issues. I think too often the Analyst community is simply reflecting the “Consensus of the Uninformed” or echo’ing what a vendor told them. So selfishly, I’d like people with intelligence and passion [who may not even like analysts] to consider joining the ranks.

In fact, I’m hiring – right now. I need someone who wants to help me cause the right kind of trouble in exactly the right and necessary spots.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Twitter: @joshcorman
skype: joshcorman
AIM: joshcorman

Scroll to top