2017 in review

Like years before, I want to share a summary of what I have accomplished. While there has been months where I feel like I focused on everything except security, my notes for 2017 turned out to be pretty extensive.

One of the first things I did this year was go to Shmoocon. I was not able to get a ticket, but that did not stop me from getting on a plane and tagging along with Infosystir (Amanda)! While there I was able to score a ticket from Lintile by completing his crypto challenge. In DC, I met Amanda’s co-author and her publisher of the Defensive Security Handbook. After shmoocon, Amanda and I rented a car to go to Shmoocon Epilogue. A “bsides” style event where we attended a training session by Mubix on the Metasploit framework (msf). This was the first time I got to see how msf really worked.

In February, I got a chance to take another swing at a CTF made by my friend, Jayson. I first attempted CTF-NG at Converge in 2016 and tried my best to find cards, which were the CTF’s “flags”, using Armitage. This time around, I was able to find better results by using an approach that Jayson recommended. He said to treat it “like a real pen test”. Find all the targets, scan them for information, and enumerate the services before trying to attack anything. The information found this way led me to a lot more answers then what I saw by attempting “random hail marys”. I lost the picture I took, but  was able to find a rare card by doing one of the things I learned from Jayson while we did the overthewire bandit challenges.

Also in the beginning of the year, I worked with Taco_pirate and Misec’s leadership to rebuild the misec website. I also worked to bridge the IRC channel with a new Slack channel. Now members of Misec can see a calendar of events on the website and talk about all kinds of topics on Slack.

The new homepage of misec.us

In April, there was a panel in Southfield about building a community in information security. The speakers were great and it was awesome to be at one of the larger Misec meetings. I learned that if you want to grow your local community, go to conferences then find people on Twitter. Find the closest citysec group or band together with friends and start your own.

Another project I worked on was to setup a VPN. Instead of paying for a professional VPN, I setup an instance of Algo and wrote about my experience. I have since switched to a paid VPN service called ProtonVPN. Issues started when the Algo VPN could not stay connected when I needed to be online.

In May, I had a lot change. I stopped working on the web application security team at Vertafore and started working at another company. I eventually moved back in with my parents to start working from their basement like every other young hacker. Since I moved away from Lansing, I also handed the reigns over for the local Misec chapter to Jedi_solomon. Converge Detroit was also in May and I volunteered. Kevin Johnson and Vajkat of SecureIdeas gave training on web application security. It was based on Kevin’s Samurai web testing framework, a virtual machine with tools and vulnerable applications to practice on.

The Cyber defense team of Baker college in Jackson invited some of the folks from Misec to participate in Hack the Arch. Of the team composed of CCDC students and Misec members, we ranked in the top 20% of all teams (some of our teams did even better). It was a good learning experience because challenges ranged from network analysis and steganography to application security and database interaction. I want to give another shout out to Vajkat for letting me crash at her place so I didn’t have to drive to the CTF early in the morning.

In July, I gave two talks for Misec. In Jackson, I shared a talk with Hilary on ways to brute force a web login. She covered Hydra and the theory behind brute forcing while I covered using Burp intruder and how I built a simple php login form that looked like a google login page. In Lansing, I gave a full presentation on Web App testing. This was a collective effort to get through the challenges offered by OWASP’s Juice Shop vulnerable web application. As a group, we got through all of the 1-3 star challenges (out of 5 stars total).

Blackhat USA was in August and I was lucky enough to attend this year. In 2016 I volunteered at Bsides Las vegas and went to Defcon. This year at Blackhat I went to Offensive Security’s training courses (similar to PWK) and got to meet most of the OffSec team. I learned a lot and met with some awesome people. I even got to borrow a defcon pass for a day and slip away to see some talks and friends from Misec. Once I was home from the conference, I also spent some time with my 3D printer to make a case for a TV-B-GONE from Adafruit.

My finished case for the TV-B-GONE kit

In September, I gave a lightning talk at Lansing. Titled “Intro to Metasploit”, it was an attempt to share my knowledge of msf. I tried to cover some of the basics. However it was not a complete introduction.

By the time October came around, it felt like the year had flown by. Attempted the OSCP I learned still have a lot of studying ahead of me. After struggling with the exam, I also started practicing with HackTheBox, a free collection of VMs to practice my hacking skills.

My HackTheBox profile and some of my recent achievements

I volunteered at GrrCON and had a blast the entire weekend. GrrCON always has an amazing staff and interesting talks. While there I roomed with Taco_pirate and Hilary gave her first conference talk which was on open source intelligence.

My dad and I built a small lock picking tower. Which enabled me to move from practicing my lock pick skills on padlocks and handcuffs, to door knobs and deadbolts. I hope to share my tower with others and show how easy it is to pick locks.

December has been a fun, yet busy month as well. It started with the RuCTFE. This year the Misec team worked with the Cyber Defense team at Baker college of Auburn Hills like last year. This time around we had a rough start getting our team online and didn’t do very well in the rankings. The important thing to take away is that we were able to review the vulnerable image and discuss ways of finding how to get the flags from other teams. Last year we got lucky and another team posted their script for exploiting one of the apps. This year wasn’t as smooth.

Amanda put on HackerSanta again this year and it’s been a huge success. For one thing there are so many santas this year that Amanda learned how to script her emailing process instead of doing it by hand, yay automation. I hope my recipient enjoyed his gift. I really enjoyed mine, I was able to figure out who my santa was thanks to Twitter and one of my gifts. HackerSanta is a fun, friendly exercise in open source intelligence.

The gifts I was given by my secret santa this year

I gave another set of Misec talks for December as well. In Jackson I did another lightning talk about the brute force login page but focused on using Burp suite. In Southfield, I compared OWASP ZAP vs Burp Suite. If there is one thing I have learned from all my Misec presentations this year, it’s that live demos NEVER work the way you expect.

To wrap up the year I started researching cryptocurrency, specifically Ethereum and ether. I think there’s a base for cryptocurrency to make its mark on the future of online transactions. Wether or not I invest in the idea, it would be silly to not to learn more about the technology.

Goals for 2018

While 2017 was pretty busy, I have some big goals for next year. First and most importantly, I want to pass the OSCP. I’ve spent most of 2017 learning a bit at a time. Come January I plan on treating it like a a second job.

I want to put my bookshelf to good use by actually opening some of the books I’ve collected over the last few years. Books like Black Hat Python and PoC||GTFO have yet to be opened. While others have been skimmed but not fully understood. Not to mention I’ve gotten dozens of digital books from humble bundles and other repositories that are worth reading. Last year I built a desktop computer to use as a home lab. The computer currently sits in my room gathering dust. In 2018, I’d like to put Da_667‘s book on building a home lab to good use and build a home lab.

Going to conferences means learning more and supporting the community. I’d like to attend at least 3 or 4 conferences this year. I also plan on submitting to GrrCON’s and Converge’s CFPs this year if all goes as planned.

Of course I’d also like to post more blog posts as well. Posts been few and far between this year. This blog has been more of a collection of my experience in infosec. It is an outlet for me to share what I know with the rest of the community.

What are your goals for 2018? Happy New Year everyone, may things go well for all of us!

Online Brute Forcing 101

A close friend once mentioned how cool it’d be to practice brute forcing for a website login. I created a simple web page with a login form. Incorrect logins display a red error message while successful logins show the rest of the web page. There’s no database or complex code behind the webpage. It simply hashes the user input and compares it to a stored value.

Before we continue, I must make it blatantly obvious that hacking any online service without consent could land you in a lot of trouble. For your safety, do not hack any systems outside of your personal domain or online labs / tutorials that give consent. If you’re reading this blog post. You have my consent to brute force greenjam94.me/login.php and to save time and limit web traffic from brute forcing attempts, a username and wordlist is provided.

There is a couple tools that will help with brute forcing an online form. Two tools that I will demonstrate in this post is Burp suite’s intruder module and Hydra. Both tools are available on Kali linux.

Burp Suite

Burp suite is a proxy from Portswigger. My websites all use HTTPS and do not allow unencrypted traffic, you’ll have to install and trust the Portswigger certificate that is generated by the proxy.

Look closely at the image above.  On the left hand side you can see all the files being called. There are links to this blog, some Javascript code from a CDN, and bootstrap code from another CDN. These can all be ignored. What we care about are the files from greenjam94.me in particular. The login form and the passwords text file are caught by the proxy. Every POST attempt to login will be recorded. The image above shows one attempt.

Right click a POST request and click “Send to Intruder” or highlight it and press CTRL+I. This will take you to the Intruder module. Go to the positions tab. We do not want to change the user value, so remove that. The page should look like the following.

Next go to the payloads tab. Either paste the values in from the passwords text file or upload the entire file if you saved a local copy. There should be 23 requests.

Click the “start attack” button in the upper right corner. The attempts should go by quickly, even if using the free version of Burp suite. The error messages are not returned as HTTP codes, every response is 200 (OK). Our saving grace is that the successful login shows more content, so the size is larger. Maybe the columns of those results are orderable?


Hydra is a command line tool that can make quick work of many kinds of brute force attempts. However the syntax can be a little confusing. Below is the command to use in order to bruteforce this form. You’ll also have to save the passwords file locally before trying this.

hydra -l ‘iAm’ -P wordlist.txt www.greenjam94.me https-post-form -I “/login.php:name=^USER^&pswd=^PASS^:Incorrect password”

I will break down the options used above.

  • -l username value, (a lowercase L)
  • -P password file, uppercase options are used for files with multiple values to attempt
  • www.greenjam94.me domain, the next requirement is the domain to attack
  • https-post-form form type, this is the kind of form you’re targeting a full list is provided in the man pages (manual)
  • -I a option to prevent trying to load restore files on multiple attempts to run hydra
  • “1:2:3” form parameters separated by a colon,
    • 1 is the file after the domain which always starts with a “/”
    • 2 is the input names and values. ^USER^ and ^PASS^ must be used
    • 3 is an expected error message, it doesn’t have to be the complete message. (Don’t use colons unless escaped)

Running this command you should see something like the following.

Feel free to try each method out once on your own on my login page! Please don’t do it repeatedly though, this is basically asking everyone to DOS me and I want to keep my websites up without pissing off my hosting company.

After finding the correct password, I suggest typing in the password manually and visiting the successful web page. Headphone alert, don’t use them. Speakers at high volume before submitting the form work best.

Know of any other good tools for online brute forcing? Let me know in a comment or on twitter. I hope you found this post to be helpful.

Volunteering at GrrCON 2017

GrrCON 2017, the seventh year and my third time attending. I volunteered again this year because it is a lot more involved than being a regular attendee. I’ve been to other conferences where volunteering burns you out. GrrCON is the only con where I could be in the middle of one job and ask “What more can I do to help?”.

The 2017 Difference

GrrCON hasn’t changed much since I have started coming to it. There are great speakers, supportive vendors, free beer, and even a tattoo artist. The organizers and volunteer staff do a great job putting on such a quality conference every year. If you haven’t been before, I strongly recommend going next year.

One big difference this year was the overwhelming amount of registrations. Apparently there were so many vendors and attendees signing up, registration had to be capped before we exceeded the amount of swag that was preordered. Attendees that got in later in the day had to use badges from previous years because we ran out.

Vendors were also placed in the hall outside of the tracks for speakers because the vendors area wasn’t big enough. While it was cool to see charities, local community groups, and school programs in a high traffic area, it still separated them from the vendors area.

All of the talks were recorded by IronGeek. He does a great job recording everyone that wants to be recorded and gets the videos posted online quickly. You need to go and checkout the list of videos from this conference, each of the speakers have good talks. The number of talks that I want to see are already in the dozens.

My Experience


Volunteers arrived a day early to get everything set up and swag bags ready for registration. It was a long day of preparing badges and unloading boxes but it flew by. There was a ton of people to help and it was great to catch up and see what people have been doing since last year. I forgot how fun it was to mess with Jen and the rest of the GrrCON family.

Wednesday night was the speaker dinner. People were always moving around to say hi or get another drink. I saw a lot of old friends that I haven’t seen in a while. It’s been said for a while that GrrCON is more of a family reunion than a security conference and this dinner made me truly believe that. I also picked up a set of Hak4Kidz badges that night. It’s a great group and I wanted to show my support.

One cool story I’ll share is that I was sitting with the guys from the IoT hacking village. They told me about the bluetooth badges, a pi zero that did half of a handshake with nearby devices. The badge tracked the overall number of bluetooth devices it could interact with. After a certain number of devices were identified, it also started playing with wifi networks. I wasn’t told more because it was a challenge for the village, but I was really interested in the project.


Thursday morning started at 6 am. I was one of the first volunteers to show up and help set up registration. We carried all the swag bags to the front table and added a few gifts to some of the bags. My jobs for the rest of the day were to float around the vendor area in the morning and to help with the mi-go track in the afternoon.

Thursday night we partied at Z’s, I met up with some of #misec‘s finest and had a great time. The bar was doing karaoke and Lintile sang a tribute to #TrevorForget. After Z’s we got a drink at Founders before crashing for another early morning the next day.


Friday’s job was to help with the large speaker track and then play bouncer for the VIP area. While working the VIP area, I was able to have another volunteer tag in so I could go watch a friend give her first talk.

The day went by even faster than Thursday and it seemed like we were tearing down parts of the conference before the talks were even finished. After the con, I had a quick dinner with a few friends, said my goodbyes and left for home.

What is Next?

Next year’s GrrCON will be September 6 & 7! CFP and tickets will open in March. I believe that GrrCON ’18 will be in a larger part of DeVos place in order to accommodate the spike in attendance.

Hopefully I’ll get a speaker badge as well as a volunteer badge next year. It’s just an idea right now. I don’t want to give away too many spoilers, but we’ll find out in March!

The bluetooth badge also gave me an idea, however I have no clue where to start with it. I think it would be cool to get a scrolling LED strip on a hat to display messages like “Hello <bluetooth_device/wifi SSID/etc>!”. I’ll have to reach out to friends and see if that’s an easy project and if it’s actually do-able. Do you think it would be cool to walk around the conference with this?

Installing Kali and Metasploitable on VirtualBox

Have you ever wanted to be a 1337 hacker like you see in the movies? Metasploit automates some of the harder tasks related to penetration testing. This blog post is quick setup to install two virtual machines that will allow you to explore how to use Metasploit.

Step 1: Get files needed to create the VMs

Step 2: Setup Kali

Open VirtualBox, click File > Import Appliance. Choose the kali.ova file that you downloaded from the link above. Click continue to review the VM settings. Hit import, none of the settings should require changing. The import will take a few minutes to complete depending on your machine.

If the VM fails to start after import, read the details of the failure. If it’s related to USB emulation then change the settings. Open the VM settings by right clicking the VM. Click settings. Find the ports tab and click USB. Change the emulation from 2.0 to 1.1 and everything will be good to go.

The default credentials are u: root / p: toor to log in. To use Metasploit for the first time there’s some setup required. Using terminal, start a postgres database by running service postgressql start. Initalize the database by running msfdb init. Check Metasploit by running msfconsole.

Step 3: Setup Metasploitable2

We will need to create a linux machine and use the virtual hard drive from the .zip folder that was downloaded earlier. First step is to unzip the folder and find the Metasploitable.vmdk file.

Next go to VirtualBox and create a new 64bit ubuntu machine. Name it whatever you’ll remember. I used Metasploitable2. Click continue once everything looks correct.

Change the memory size to at least 512mb and click next. There select “Use existing hard drive” and select the .vmdk file we found earlier. Last step is to click create.

Start the box and confirm everything is working as expected. The default credentials are msfadmin/msfadmin. Type ifconfig to see what the boxes IP address is. This will come in handy when trying to scan for the machine from Kali. My machine is at

Step 4: Double check networking

Metasploitable is one of those VMs that are intentionally vulnerable for you to attack. To ensure that no one else attacks your box, make sure it can’t access the internet by confirming in VirtualBox that the network type is set to NAT.

Host-Only would work if we weren’t using another VM to use Metasploit. This is still an option if you want to install Metasploit on your base host and skip the Kali install.

Step 5: Attack

Now play around with Metasploit! Get on Kali, ping the Metasploitable2 machine to make sure it’s in reach. Run msfconsole for a CLI interface or open armitage for a GUI. A lot of walkthroughs are online that can be a good place to start playing with Metasploit.

More info

For more information on how to use Metasploit, check out Offensive Security’s free course. Look for some articles such as the series from null-byte. Read a book about it, buy now from No Starch Press. My motive for posting this is a lightning talk I gave at #misec this month. The IntroToMSF slides are hosted here for those who are interested.

PHP Regex tutorial

Have you ever wondered how web applications do validation on forms? How does the app know when your input is really an email address? In most PHP applications, this is done using regular expressions (Regex).

I’ve previously posted about how to defend against XSS and SQL injection. Checking strings with a white list of allowed characters is one of the easiest changes a developer can make. Regex makes this easy in most programming languages.

In that post I linked to RegexOne. The site had a pretty good cheatsheet covering how regex is useful. This is only really helpful if you are familiar with how regex works.

If you’re looking for a more complete tutorial, try his. Guru99 has reached out to me to promote their new tutorial: PHP Regular Expressions Tutorial: Preg_match, Preg_split, Preg_replace. It looks like a pretty comprehensive tutorial. I suggest looking at that to learn some of the basics behind regex.

Do not waste your time with HPKP

This is my last post related to HTTP Public Key Pinning (HPKP). This is a post in response to Scott Helme’s latest post about him giving up on HPKP and how my blog is a perfect example of his concerns.

In the past I’ve written three articles about the HPKP header:

The point of each of these articles are pretty well summed up in their titles. For work, I was tasked with learning about HPKP and of course I made blog posts as I tired out the new header.

Starting with HPKP

While learning about HPKP, Helme’s posts were a great resource for me. Thanks to him, I was able to understand the process well enough to get some tests up online using this domain.

Everything worked fine until I had to renew my LetsEncrypt SSL certificate. Renewing caused the public key pin to not match the certificate and blocked all users who visited my blog with a browser that supported HPKP.

Running into issues

In Helme’s post, my issue is part of the “bad hygiene” that is warned against. HPKP requires that the best practices are used to key certificates up to date as well as the pins. Using LetsEncrypt certbot to auto-renew my domain’s certificate is not the best way to do this, since I can’t keep track of the pins, I was unable to properly support the header.

In order to “resolve” the issue, I had to strip the header from my site and ask all concerned clients to forget my domain from their browser’s saved history that remembered my old pin.


It is at this point that I agree with Helme’s conclusion that “One of the biggest concerns I have with HPKP right now is sites trying to use it and getting it wrong”. Especially that my blog is one of the sites that proves how easy it is to get wrong! It’s because of this difficulty and the massive impact a bad certificate/pin combination has on end users that I agree HPKP is not worth implementing.

Please go and read Helme’s post if HPKP is something you deal with or if you’re starting to look into it as well!


Ever sit at a bar with friends and try to have a conversation but the TVs behind the bar were too loud? If only there was a quick convenient way to turn them all off at once. This is where the TV B GONE remote comes in. A simple kit that sends over 100 “power off” signals to TVs within a 150 foot range at the push of a button.

The noisy bar situation has happened to me many times at security conferences. At the very least, the conversation that follows would be quite interesting. The kit requires some soldering, but the instructions from Adafruit are very clear and easy to read.

TV B GONE looks cool by itself. The exposed circuit board has a certain appeal. In order to give it some protection and provide a better grip, there’s a case that can be 3d printed. The design is hosted on Thingiverse. If you’re looking to do the same, don’t cut the wires to the battery holder when building the kit, the remote case is thinner and puts the holder next to the board instead of back to back.

Printing the case

The case printed very well. The designs put the pieces so that the there’s only a small surface area touching the build plate. In order to get a clean print, I had to rotate some of the designs 90 degrees. There were 4 parts included. Total print time was still under 4 hours. After printing, I sanded and painted the case. If I were to do it again, I’d spend more time sanding and try to be more aware of any “low spots”. The paint didn’t cover some small blemishes as well as I expected.

After 3D printing the case, I followed the instructions linked above to solder the kit together. While soldering, I was too focused to take pictures of the process. The final assembly was also pretty easy. I used super glue to stick the battery holder to the front of the case and attach the back of the case.


So far I’ve been able to turn off every TV in my house. I’ve even been able to turn off multiple TVs when they’re in range. I look forward to bringing it to future security conferences and using it as a talking point.

I recommend anyone who wants a soldering project to attempt this build. It didn’t take long and the only required tools are AA batteries, a soldering iron, and wire clippers.

Breaking My Blog with WPscan

One of the tools offered by default in Kali and many other hacking related distros is WPscan, a black box WordPress vulnerability scanner. I wanted to learn how to use this tool because it would help with recon on CTF challenges, practice boxes from vulnhub, and even trying to keep my own blog vulnerability free.


Before I tell you more about the tool and how it can be used, I have to throw out the usual disclaimer. Do not use this tool on any WordPress site you don’t own or have permission to scan. I ran WPscan on my own blog and brought the whole site to it’s knees. If you did that to a professional blog or your company’s blog then you could have major problems when you get caught.


If you don’t have a personal WordPress instance to test, then look at getting OWASP’s Broken Web App installed. It has a vulnerable instance of WordPress included that you can scan against and even try to harden. When things break, just reinstall the VM and start over from scratch.

I have a Kali VM installed on most of my computers. By opening a terminal and typing wpscan -h you can learn about all of the options and possibilities for how to scan a WordPress instance. If you want to avoid all the “bells and whistles” then just run wpscan –url <target> –enumerate p to scan and try to find vulnerable plugins.

The scan and the results

WPscan scans the site looking for version numbers and other exposed information that can be compared to a database of vulnerabilities. While running the scan against my site, there was one vulnerability found. There was also a small issue because the WordPress version was public. I was able to research the vulnerability using the links provided from the scan output. While the “fix” isn’t a perfect patch, it’s better than ignoring the vulnerability until the next update is ready. The version was easy enough to hide by deleting the stock readme.html file.

The issue wasn’t removed on the next scan. The scanner is a quick tool to find some vulnerabilities based on version numbers and other information from the site. There’s no proof of concepts or attempts to validate if a vulnerability is a false positive.

Unexpected fun with WPScan

While running the scanner the –enumerate p option will brute force the website with requests to gather information about plugins. This crippled my site when over 20 simultaneous database connections made the site unresponsive. This wasn’t solely due to the scanner, but to the fact that I created this blog in college. Which means I took the cheap and easy route. Digital Ocean’s one click solution on the smallest VM made that possible.

The reason I’m not afraid to tell all you hackers about this is because I was able to resolve the issue with some help from friends at #misec. They told me about adding a swapfile that could help boost some power to my little VM. Since then I’ve been able to run WPscan multiple times without a single fatal performance issue.

Edit: A swapfile is NOT recommended for preventing DoS resulting from scans or a spike in traffic. This is a quick fix and a cheap band aid. If your company uses WordPress or you have a personal blog thats getting a lot of traffic, upgrade the VM or migrate to a better server that can handle the requirements. This was pointed out to me when I first heard of using a swapfile and again on Twitter after posting this.

Twitter reply

Converge 2017

May 11-12th was the Converge conference. If you’re in Michigan and are curious about information security, then I suggest you look at attending next year. For those that missed this year, Irongeek recorded all the talks and posted them online for you! Watch some of the talks and then put an alert on your phone to buy tickets for next year.

Converge is a great conference. I’ll admit I’m partial because it’s in my backyard. However that isn’t the only reason I like it. The talks cover great content, the speakers are friendly, and it’s not so big that guests feel like they’re lost in a see of other attendees.


On Thursday, I spent the morning volunteering with Irongeek recording talks for track 2. Helping with A/V is great because I get to volunteer and watch talks with a front row seat. In the afternoon I networked with people in the halls, after all that’s the most important part of a conference, right?

Friday was a lot of fun. I started off by playing with a new toy. A nexus phone loaded with Kali NetHunter. I’m still exploring the tools on it but one of them is called the Mana wireless toolkit that allows me to broadcast a wireless network. This makes for excellent trolling, especially for those who get the inside joke.. There was some evidence at GrrCON a few years ago.

I know at least one person noticed because they had a screenshot for me to share!

Learning how to pen test

The rest of the day, I was in training for web application pen testing. Kevin Johnson from SecureIdeas offered a 1 day version of his week long training course. We went over a lot of great topics, like his recommended methodology and the tools that pen testers can use.

While the training was amazing, it’s still something that Kevin offers others, so I don’t want to spill too many secrets. I do suggest that if you’re interested that you take a look at his site, secretideas.com.

I’ve said it before on these blog posts and I’ll say it again. Conferences are a great center for networking, learning, and growing if you’re looking at getting into the information security industry. Hopefully my stories from this year’s Converge has convinced you to attend the next conference in your area!

Building a community

At the #misec meeting I attended in mid April there was a panel on building a infosec community… so I’m borrowing their title for a post and giving my two cents in order to spread the topic!

I won’t give a huge synopsis of who said what like I did in my last post about a #misec panel. Instead, please watch #misec’s video on youtube if you’re interested in what was shared.


There were two general categories of discussion at the panel; meetups like #misec or BurbSec, and conferences like Converge or Thotcon. Your community is probably a collection of both. For instance, #misec was born from Bsides Detroit members who wanted more and created monthly meetings to have a smaller (more frequent) version of a Bsides conference. Two aspects are required to start or build a community; networking and attendance.

In order to have a community, people need to attend and contribute. In order for people to know where to show up, there needs to be some kind of networking and outreach. “Grabbing people” is a good way to start a meetup. Find people at a conference, ask around, and tweet to see what the interest is. Welcome everyone and follow up with people and the rest will fall into place. A conference works in the same way as there is a dependency on people. Volunteering, speaking, and attending is the core of networking.

Why me?

Meeting people and networking is a two way street. You get chances to volunteer at conferences, speak out about your interests and get feedback from others in the industry, and there are usually job offers and professional networking involved as well. Even if you’re an introvert and it’s stressful, making a name for yourself and showing people what you’re made of is huge in this industry and there’s a lot of great connections to be made through these communities.

Be involved. It keeps you busy. There are many ways to grow, whether through volunteering at a conference or stumbling through your first talk at a meeting. Being able to inspire others and help them grow is also an awesome part of being in a infosec community. A community is nothing without people, and you are one of those people.


To keep it short and sweet, try to use the following checklist:

  1. Go to conferences
    • Volunteer if it’s too expensive
    • Volunteer if it’s local and you want to contribute
    • Respond to the CFP or call for papers if you have something fun to share
  2. Join twitter and ask for help
  3. Find the closest city meeting and go
    • Start your own if the closest isn’t close enough
  4. Wash, rinse, and repeat