The Exploring Information Security podcast interviews a different professional each week exploring topics, ideas, and disciplines within information security. Prepare to learn, explore, and grow your security mindset.
This isn’t the easiest thing to do. Now that I’m writing the podcast post after recording and editing the podcast, I have a sense of relief. For the last month plus, I’ve tried to decide whether or not to shut down the podcast. The fact that it took this long to record a final episode tells me that it was time. I wrote about my reasoning in a blog post on the main page. This may or may not be the end. That largely depends on if someone would like to pick up the podcast and produce it themselves. I’d love to guide and mentor someone on the journey. The podcast has been beneficial to me and the many people who have reached out providing appreciative feedback. I’d love to see it continue. I’m also content that this is the end of the podcast. I will be at BSides Nashville shooting pictures and very likely be at DEFCON manning the Social Engineering door. Come see high or reach out to me on social media (@TimothyDeBlock) or email (timothy[.]deblock[@]gmail[.]com).
Daniel (@notdanielebbutt) and Kyle (@chaoticflaws) are the two guys I go to for clicking on suspicious links. Recently, I’ve been seeing more Emotet. So, I wanted to have the guys on to talk about the malware that is making a comeback. The CFP is open for Converge Conference. The conference is May 16 and 17. They’ll have one day for blue team topics and one day for red team topics. Make sure to submit your malware related talk topics. Also make sure to check out MiSec if you’re in Michigan.
2018 was a good year. I made some format changes that I’m really happy with. I picked up some new audio equipment. I resolved my recording process (I think). I’m not a big statistics guy. I don’t really care if two people or 200 people listen. I’m just happy to have some really great conversations with people and contribute back to the community. I’ve got a new recording setup that will hopefully make producing a podcast much easier. I’ve setup a Twitch channel for gaming and potentially recording EIS episodes on. Follow for notifications on when I go live. I’ll be trying my first EIS episode Monday, January 7, 2019, at 8:30 p.m. CT. I’ve also turned what was my attempt at a GamerSec Discord channel into the Exploring Information Security channel. Here you can interact with us while record (or on Twitch). Join other people interesting in the podcast. Game with other infosec professionals. Thank you for being a listener of the podcast. I am refreshed from my month off and energized for what’s ahead in 2019.
Micah (@WebBreacher), Josh (@baywolf88), and Justin (@jnordine) join me to go over a variety of topics at DerbyCon 2018. The Hyatt was kind enough to provide space near the bar (shout to the amazing Lauren).
Micah (@WebBreacher), Josh (@baywolf88), and Justin (@jnordine) join me to go over a variety of topics at DerbyCon 2018. The Hyatt was kind enough to provide space near the bar (shout to the amazing Lauren).
This past DerbyCon, I had the opportunity to take the Advanced OSINT with Ryan (@joemontmania) and Colleen (@UnmaskedSE). The course was great! It was different from some of the other OSINT courses I’ve taken. They covered very specific techniques and tools. After presenting on those techniques and tools we were given the opportunity to dive in from a free-form standpoint.
This is a solo episode. I had the idea after sitting in a vendor pitch today where one of the sales guy mentioned that passwords WILL die. I disagree. I think passwords have been around for a long time and will continue to be around. They’re easily replaceable and is stored in the most secure location. Unless there are mind readers, then we’re all just screwed anyway. I would love some thoughts and feedback on this one.
Stu (@cybersecstu) is a Co-Founder of The Many Hats Club, which is a massive Discord community and podcast. Earlier this year, Stu started sharing Unusual Journeys. I love this series because it highlights that there is no true path into infosec. He’s had 18 series so far and each story is fascinating.In this episode we discuss:Why failure is goodWhat sticks out from theses storiesWhat are some of the backgrounds people come from
Stu (@cybersecstu) is a Co-Founder of The Many Hats Club, which is a massive Discord community and podcast. Earlier this year, Stu started sharing Unusual Journeys. I love this series because it highlights that there is no true path into infosec. He’s had 18 series so far and each story is fascinating.In this episode we discuss:What started Unusual JourneysHow Stu got into infosecWhat we can learn from these stories
Claire (@ClaireTills) doesn’t have your typical roll in infosec. She sits between the security teams and marketing team. It’s a fascinating roll and something that gives her a lot of insight into multiple parts of the business. What works and what doesn’t work in communicating security to the different areas. Check her blog out.In this episode we discuss:How important is it for the company to take security seriouslyHow would someone get started improving communication?Why we have a communication problem in infosecWhere should people startMore resources:Networking with Humans to Create a Culture of Security by Tracy Maleeff - BSides NoVa 2017Courtney K BsidesLV 2018, Implementing the Three Cs of Courtesy, Clarity, and Comprehension to Optimize End User Engagement (video not available yet)BSidesWLG 2017 - Katie Ledoux - Communication: An underrated tool in the infosec revolutionJeff Man, The Art of the Jedi Mind TrickThe Thing Explainer: Complicated Stuff in Simple WordsChris Roberts, Communication Across Ranges
Claire (@ClaireTills) doesn’t have your typical roll in infosec. She sits between the security teams and marketing team at Tenable. It’s a fascinating roll and something that gives her a lot of insight into multiple parts of the business. What works and what doesn’t work in communicating security to the different areas. Check her blog out.In this episode we discuss:What Claire’s experience is with communication and infosecWhat’s ahead for communication in infosecWhy do people do what they do?What questions to askMore resources:Networking with Humans to Create a Culture of Security by Tracy Maleeff - BSides NoVa 2017Courtney K BsidesLV 2018, Implementing the Three Cs of Courtesy, Clarity, and Comprehension to Optimize End User Engagement (video not available yet)BSidesWLG 2017 - Katie Ledoux - Communication: An underrated tool in the infosec revolutionJeff Man, The Art of the Jedi Mind TrickThe Thing Explainer: Complicated Stuff in Simple WordsChris Roberts, Communication Across Ranges
When I have guests hop on the podcast, I usually try to break the ice a little and get them warmed up for the episode. Often times these can turn into some really good conversation about the infosec field. I'd like to start capturing those conversation and release them (with the person's permission), because there are some really great insights. I've released this episode early to the people on my newsletter (check below to get in on the fun). I wanted to get feedback and also give people who sign-up some bonus content, which is something I hope to do more.
Wes (@kai5263499) is not a security person. He is a developer. A developer that understands security and why it's important. He deals a lot with automation and working with container technology.
Wes (@kai5263499) is not a security person. He is a developer. A developer that understands security and why it's important. He deals a lot with automation and working with container technology.
Justin (@jms_dot_py) is the creator of Hunchly. I got to know Hunchly at SANS SEC487 OSINT training earlier this year. It's a fantastic tool that takes screenshot as the web is browsed. This is very useful for investigations involving OSINT. I'm also finding it useful for incident response, particularly for clicking on phishing pages. I sometimes forget to take screenshots as I'm investigating a phishing page. Having Hunchly means, I don't have to worry about taking screenshots. I then use the screenshots for reports and training. It's a really useful tool.
Paul (@paulpaj) wrote a blog post on how to make a successful burp extension and get it published in the Burp Store. A lot of the recommendations in the article are from Paul's experience handling extension submissions for the Burp Store.
Michael (@SiliconShecky) wrote a blog post on his site at the beginning of the year titled, It is CFP season... So what. In the article he hit on rejections and I thought it'd make for a great podcast topic. More recently, he wrote a blog post on the, Anatomy of a Rejected CFP. The article walks through his rejected CFP for DerbyCon.
Chris (@cmaddalena) joins me to discuss crafting a phishing email. This is something I've recently explored at work. Having little to no experience actually crafting a phish, I decided I'd go to someone who does this on a regular basis. Check out Chris' ODIN tool for automating intelligence gathering, asset discovery, and reporting.
Chris (@cmaddalena) joins me to discuss crafting a phishing email. This is something I've recently explored at work. Having little to no experience actually crafting a phish, I decided I'd go to someone who does this on a regular basis. Check out Chris' ODIN tool for automating intelligence gathering, asset discovery, and reporting.
Micah (@WebBreacher), is a SANS Instructor and author of the SEC487 OSINT course. He recently had his second class in Denver, Colorado (more dates here). During that class he found people asking about how to navigate the waters of OSINT resources. His solution was to start the OSINT Resource Classification System (ORCS). It's a call for the OSINT community to standardize on how resources are categorized. YOGA or Your OSINT Graphical Analyzer is meant to be a visual aid for people looking to navigate the streets of OSINT resources.
Stuart (@Stuart_A_Scott) and George (@georgegerchow) both have contributed content to CloudAcademy on GDPR. Stuart has a nine hour course on using AWS Compliance Enabling Services. George has a done a webinar and written an article on the topic. Both are well spoken and highly informed on the topic. They provide a lot of good direction for anyone looking to account for GDPR in their organization (pro tip: everyone should be looking into this).
Stuart (@Stuart_A_Scott) and George (@georgegerchow) both have contributed content to CloudAcademy on GDPR. Stuart has a nine hour course on using AWS Compliance Enabling Services. George has a done a webinar and written an article on the topic. Both are well spoken and highly informed on the topic. They provide a lot of good direction for anyone looking to account for GDPR in their organization (pro tip: everyone should be looking into this).
Sean (@SeanThePeterson), is one of the most passionate infosec people you don't know. He recently did a talk at ShowMeCon on how to crack passwords. It was his first ever talk and pretty damn good. Sean joined me to give me his insights into password cracking.
Cliff (@BismthSalamandr), recently gave a talk at ShowMeCon on GDPR and why everyone should care. It's a really good talk and a great primer if you haven't dug into GDPR, yet (you should). Cliff is a recovering lawyer, so he's providing a different angle than your normal security professional.
Tanya (@shehackspurple), is a former developer turned security person. She speaks regularly at conferences around the globe. The topics often focus on working with developers to improve security, which is something I believe in. She's a project lead for OWASP DevSlop.In this episode we discuss:Why working with the developers is importantHow to talk to developersWhat are the benefits of working with developers?What are the top recommendations for talking to developers
Amanda Berlin (@InfoSystir), Wik (@jaimefilson), David Cybuck (@dpcybuck), April Wright (@aprilwright), and Dave Chronister (@bagomojo) join me on the live EIS panel at ShowMeCon, June 7, 2018. This is the first panel I've ever done for the podcast. It went so well, I hope to do more in the future. We cover a variety of topics and have a few laughs.
Jayson (@jaysonstreet), is the VP of Information Security at Sphereny. He and April Wright (@aprilwright) are doing training at both Black Hat and DerbyCon on how to achieve security awareness through social engineering. The training focuses on helping blue team members setup effective security awareness programs.
Jayson (@jaysonstreet), is the VP of Information Security at Sphereny. He and April Wright (@aprilwright) are doing training at both Black Hat and DerbyCon on how to achieve security awareness through social engineering. The training focuses on helping blue team members setup effective security awareness programs.
It's another podcast special! This one was at Converge and BSides Detroit. This one took a little bit to get going. When we did we got into a little bit of everything. Topics both in infosec and topics outside of infosec.
Amanda (@InfoSystir) gave a keynote at Converge last week. The topic: mental health. It's a great talk and something I recommend people watch. Mental health is very important in our field. A lot of us were bullied coming up through school. Others grew up in awful environments. We've gotten past those challenges to become successful information security professionals. There are still scars, however, and if we don't identify and address them it will lead to unhealthy actions. Especially, since we are in a high-stress field that is overwhelmed. We need to have an open dialogue about mental health. The downside to have a poor mental health. We need to share ideas on how to better address our state of minds. Often we feel alone. We are not. If you feel like you are in a bad place mentally, there are resources that can help. Call a hotline (1-800-273-8255). Do a Google search. There are people who can help. Family, friends, or mentors. You matter.
Keith (@andMYhacks), is a solutions architect at Bugcrowd. He's also the co-host of Application Security Weekly. While Keith works at Bugcrowd, he also has a lot of experience participating in bug bounty programs. Check out his website AttackDriven.io.
Micah (@WebBreacher) has spent the last year plus putting together the SANS SEC487 course. The course focuses on Open-Source Intelligence Gather and Analysis (OSINT). I had the pleasure of attending the very first iteration of the course. I had an absolute blast and would recommend the course to anyways (even those outside of infosec).
Micah (@WebBreacher) has spent the last year plus putting together the SANS SEC487 course. The course focuses on Open-Source Intelligence Gather and Analysis (OSINT). I had the pleasure of attending the very first iteration of the course. I had an absolute blast and would recommend the course to anyways (even those outside of infosec).
Steve (@SteveD3) has been covering BEC types of attacks for the past year at CSO. These types of attacks are increasing. It may get worse with GDPR requirements next month. This ended up being one of the more difficult podcasts to get scheduled. Steve and I had to cancel on each other a few times because of phishing related stuff.
Interviews are a nerve-racking process. Preparation provides more confidence and the ability to anticipate curve balls in an interview. Being prepared allows you to have more brain power when there is a question you didn't anticipate. When you're prepared, it shows. People tend to like candidates who are prepared. They can tell by how direct and decisive answers are to questions. There is one caveat to this. If your interview with someone as part of a network, there is more leniency in the interview.
Daniel (@notdanielebbutt) and Kyle (@chaoticflaws) are two of the people I go to when I need to have a better understanding of what a malicious link does. They're passion for clicking on links is out of this world. They also provide some really good insights into the work of clicking on links most people shouldn't. I asked if they'd be willing to walk me through building out a machine that could help me do what they do. They kindly obliged and thus another open mic podcast is born.
I'm taking a different approach to solo episodes and the podcast. I am going to blog about the solo episode before recording it. This will allow me to collect my thoughts. As a result of this, I hope, that it'll make the solo episode much more smoother. Usually, I write down some points and then just riff off that. Because I'd like to write more I figured this would be one way to improve quality of the podcast, while also providing some more elaborate show notes. With that, let's get to the topic at hand.
Jess (@drjessicabarker) runs the @cyberdotuk account on twitter and website. She's also the co-founder of Redacted Firm (@redactedfirm). She wrote an article last year that covered recommendations and tips for submitting to a conference Call for Papers (CFP). It all started with a tweet asking what's holding people back from submitting to a conference. Over 6,000 responses later there were a variety reasons, including "I don't know enough.' The article goes on to ask several organizers for their suggestions on submitting. In this podcast episode we dive into the article and much more.
Jess (@drjessicabarker) runs the @cyberdotuk account on twitter and website. She's also the co-founder of Redacted Firm (@redactedfirm). She wrote an article last year that covered recommendations and tips for submitting to a conference Call for Papers (CFP). It all started with a tweet asking what's holding people back from submitting to a conference. Over 6,000 responses later there were a variety reasons, including "I don't know enough.' The article goes on to ask several organizers for their suggestions on submitting. In this podcast episode we dive into the article and much more.
I've already written a couple blog posts on the topic. I've also created a GitHub page to track all my resources I intend to use in the presentation and training. The idea of the content is that we can use social engineering (like the red team) in our day-to-day interactions at work. We can use the same techniques to build better relationships and build better security mindsets in our organization. If you prefer soft skills.
Micah Hoffman (@WebBreacher) is a SANS instructor who will be teaching a brand new SANS course, SANS487: Open-Source Intelligence Gathering and Analysis. Kirby Plessas (@kirbstr) runs her own training company Plessas Experts Network, Inc. There is an online training portal that you can use to learn more about OSINT. Josh Huff (@baywolf88) is a Digital Forensics Private Investigator and OSINT addict. He runs the Learn All The Things website. This is a new format for the podcast that I am trying out. It's a lot like the conference episodes I do: It's longer; I allow swearing; and there is no format or direction. I asked for OSINT questions on Twitter and got some pretty good ones back for people to answer. I can turn this into a live show that would allow for people watching to interact with the guests on the show. I need feedback on whether or not this of interest to people. Hit me up on Twitter (@TimothyDeBlock) or email (timothy[.]deblock[@]gmail[.]com)
Chris (@humanhacker) is the Chief Human Hacker at Social-Engineer, Inc. He's the author of several social engineer books. He also has his own podcast. This past summer he announced the Innocent Lives Foundation, which has the objective of unmasking anonymous online child predators through OSINT and relationships with law enforcement. He is a social engineering Hulk in the field of information security.
Chris (@humanhacker) is the Chief Human Hacker at Social-Engineer, Inc. He's the author of several social engineer books. He also has his own podcast. This past summer he announced the Innocent Lives Foundation, which has the objective of unmasking anonymous online child predators through OSINT and relationships with law enforcement. He is a social engineering Hulk in the field of information security.
Wes (@kai5263499) is a cloud engineer, who loves to dig into Apple product security. Last year (and on a previous episode) he discuss how Macs get malware. He's back again this year to discuss how to hack iOS. He will be speaking at BSides Hunstville February 3, 2018. If you have a chance to go, be sure to check out his talk. Also, check out is OSX security awesome list on GitHub. It's a really useful set of links on This dude is really smart.
Wes (@kai5263499) is a cloud engineer, who loves to dig into Apple product security. Last year (and on a previous episode) he discuss how Macs get malware. He's back again this year to discuss how to hack iOS. He will be speaking at BSides Hunstville February 3, 2018. If you have a chance to go, be sure to check out his talk. Also, check out is OSX security awesome list on GitHub. It's a really useful set of links on This dude is really smart.
Ryan (@th3b00st), Kyle (@chaoticflaws), and Kate (@vajkat) help put on one of the best conferences. Last year was my first year at the conference. I was not disappointed. They had a workshop on application security; a room set aside to get resume feedback; Ham radio exams; and much more. They also had three days of wonderful talks with some really great speakers. At lunch there are multiple treks to go grab a coney dog. The call for papers is currently open. They're looking for speakers and to add more workshops this year. Tickets are also available now. Make sure to grab yours and I'll see you at Converge and BSides Detroit May 10-12.
Matt (@matt_tesauro) and Aaron (@weavera) are the project leads for the OWASP AppSec Pipeline. The project provides resources and guidance for building out your own appsec pipeline within a development team. Building a pipeline is important in helping get security embedded within software.
2017 was a great year for the podcast. I saw increased listernership. We had a new episode format that involved talking to several security professionals at various conferences. I've also seen an increase in companies and public relation firms reaching out to me to pitch guests. In 2018 I'd like to explore some new formats. There may be a conference panel in the future. I also expect to look at advertising and sponsorship for the podcasts. I also need to work on an archive feed for older episodes.
Micah (@WebBreacher), this past year, spoke on imposter syndrome and how to overcome it. It's something we all deal with (even several years into our careers). It's useful, but also dangerous for those of us in the information security community. We need to try and compare ourselves to others less and speak more positively internally.
Chris (@chrissanders88) grew up at a disadvantage. He wasn't rich or handed a great educations. He speaks of being part of the free lunch kids at school. He's managed to turn himself into a successful information security professional, with his own company and non-profit. A lot of that is due to his teachers and mentors encouraging his interest in computers. The Rural Technology Fund is a way for him to give back and give other kids an opportunity to see if they have a spark for technology.
Chris (@cmaddalena) gave a talk at DerbyCon this past year on writing Win32 Shellcode. We've talked before on a previous podcast around why building your own tools is important. Chris has also written several tools for his day job and for public consumption. His most recent tool is ODIN, a passive recon tool for penetration testers.
© 2020-2025 Ivy Podcast Discovery LLC
