Just a forewarning, this is a personal blog entry, and has no technical content. I’ve been blogging on ha.ckers.org for over 500 posts now, and I have done my best to stay honest and give all my readers the facts necessary to make their own decisions about the products they use, the technology they employ and the risks they face. One thing I have said on a number of occasions is that I do not work in security. At the time I wrote that, I was telling the truth, I was working as a director of product management for a publically traded real-estate company. I was making sure the colors of the page match up, and that the search engines had the right business rules taken into account. Business only, no security. That may come as a shock to a lot of people, but I really had nothing to do with security for the last year since I started working there.
Of course, prior to that I worked for a number of big companies leading up security services, building anti-phishing, anti-virus, anti-cross site scripting, and anti-fraud tools and techniques. I’d been involved in security since there really was a web application to secure in the first place (anyone who tells you that they’ve been in security longer than I have is talking about DECs and Alphas and I’m not even sure how those are relevent to modern applications anyway). Regardless, although I didn’t work in security for the last year (since before I started this blog) I definitely have my roots in security. If it’s not obvious, this is my passion, and I’ve been out of it for too long.
So I’m starting a new consulting company called SecTheory with id and a few other part-time contractors. You may have heard wind about it on Slashdot, the Wall Street Journal, Anurag’s blog, press releases by ClickForesics or I may have told you myself in passing, but I never made it clear on this website. The goal is to deal with middle sized companies who need security help with some of their harder problems, but can’t afford to hire someone full time. Also, I have already helped a number of small security startups with their technology strategy - I will continue to do so. That said, I can no longer be considered completely unbiased as I am now a member of the security community again. In the spirit of full disclosure I thought it only fair for me to explain my new company, and what my plans are for it, so there are no secrets and each of you can make your own informed decisions about why I am saying whatever it is I am saying.
So from time to time you may see me reference material that I will be putting on SecTheory (more of the business side most likely). For the time being it’s just a shell of a site, and there’s nothing interesting on it, but over time I’ll grow it (not into a community site, don’t worry) but I’ll put more content up there as time progresses. I plan on keeping ha.ckers.org and sla.ckers.org around for the foreseeable future as I think the community needs to know what’s really happening out there and it’s a way to for me to communicate with all of you as well as the vendor community that I both love and hate.
My only concern with releasing this information is that some people might be upset with my new company (see me as a competitor or a threat) but I assure you that’s not at all how I see it. In fact I see the security community growing with time, not shrinking. The only other threat I see is that I may get into situations where I cannot talk about clients given non-disclosure agreements or whatever. This has already come up in a number of cases, that I would have liked to disclose events that occurred, but I cannot for legal reasons. I have already communicated with a few potential clients that I reserve the rights to talk about anything I learn on my own or talk about them only as “a company.” Wherever possible I will continue that trend to make sure I can share what I learn with the community.
So onward and upward. I’m really glad to be back amongst the ranks. It’s the first time I’ve been really happy since I left. If that’s not a sign, I don’t know what is. If you have questions about the company, feel free to email me off thread and I’ll share what I can. Anyway, let’s get back to the technical meat, shall we?