Author Archives: Jeremiah Grossman

Update 04.12.2012: Video of the presentation embedded below.                                                  Ten years ago if you would have told me that I’d be back living in Hawaii, founder of a fast growing technology company, and a TED speaker — I would’ve said, “What’s a TED?” Preparing for TEDxMaui was extremely difficult. The presentation format is completely different than anything I’ve ever done before. It was limited to just 18 minutes as opposed to 50, and given to an audience of every day people eager to see something amazing, instead of security professionals and high-tech workers. The message had to be crystal clear. Since TEDxMaui videos won’t be published until late February, you’ll have to settle for my substandard textual description for now.

Continue reading TEDxMaui — Hack Yourself First→

Over my career I’ve given exactly 295 public presentations, to audiences as small as a table full and up to many thousands. Audience members have said countless times that they really enjoy my speeches. Conference organizers always invite me back, and my feedback scores are always amongst the highest. These are accomplishments I’m proud of and a level of success only achieved with the help of a lot of dedicated people. You might think that after all this experience that I’m extremely comfortable on stage. The reality is that you’d be wrong, very wrong. What most don’t know is that each and every time I’ve present, to this day, I suffer from extreme anxiety, commonly known as stage fright. In my case, terrified would be a more accurate description.

I’ve been known to physically shake, have shortness of breath and a strained voice, speak far too quickly, be statuesque on stage almost like I’m hiding, and feel just overall completely stressed out. Early on I decided that no matter how terrified I was, my message needed to get out there, and it was more important than letting fear stop me. I think my #1 skill as a public speaker is hiding my fear, my terror. My theory was the more experience I gained the faster I’d overcome it. In the meantime in order to cope I developed a pre-presentation ritual.

I’d prepare heavily for each event, pour over the content in every slide, and seek candid feedback from those I trusted. I’d also commonly ask event organizer for details on audience demographics to specifically tailor my comments. I’d then practice ahead of time for small private groups in order to get the timing and flow down. If something or all of it sucked, I’d throw it out. With the assistance of my wife, I’d even get a plan down for precisely what I was going to wear during at show day. Nothing was left to chance. Finally, I block out an hour before each presentation to check out the stage, be alone with time to center, prepare and calm myself down, and of course continue tweaking slides. Being prepared helped take the edge off my anxiety a lot.

The problem was, or is, that no matter how many times I presented, the anxiety, the fear, and terror never really lessened. That is until this last year. Something changed, but what!? Had I finally overcome? I’m not an introspective person so it wasn’t until very recently that I think I figured it out. In 2011 my public presentations weren’t pushing the envelope as much as in years past. The content was good to be sure, but it also focused on “safe” business level subjects and incrementally advancing work from previous years. In short, I really wasn’t putting myself out there as far as I’m used to. In my case, the feeling or fear and terror arises when pushing forth an idea or a concept and unsure if people will think its uncompelling or totally idiotic. A chance you take.

That’s about when I got a call from the TED offering a speaking slot in TEDxMaui. We got to talking about my work and discussing an idea worth spreading. It didn’t take long. Then all of a sudden I’m thrust right back into fear and terror mode, but now that I understand it, the feeling is almost comforting. It signals that I have an opportunity to take things in my industry, in our industry, to a new level — or of course drive right off a cliff. Either way it’ll be a good show!  🙂

Continue reading Terrified→

Over my career I’ve given exactly 295 public presentations, to audiences as small as a table full and up to many thousands. Audience members have said countless times that they really enjoy my speeches. Conference organizers always invite me back, and my feedback scores are always amongst the highest. These are accomplishments I’m proud of and a level of success only achieved with the help of a lot of dedicated people. You might think that after all this experience that I’m extremely comfortable on stage. The reality is that you’d be wrong, very wrong. What most don’t know is that each and every time I’ve present, to this day, I suffer from extreme anxiety, commonly known as stage fright. In my case, terrified would be a more accurate description.

I’ve been known to physically shake, have shortness of breath and a strained voice, speak far too quickly, be statuesque on stage almost like I’m hiding, and feel just overall completely stressed out. Early on I decided that no matter how terrified I was, my message needed to get out there, and it was more important than letting fear stop me. I think my #1 skill as a public speaker is hiding my fear, my terror. My theory was the more experience I gained the faster I’d overcome it. In the meantime in order to cope I developed a pre-presentation ritual.

I’d prepare heavily for each event, pour over the content in every slide, and seek candid feedback from those I trusted. I’d also commonly ask event organizer for details on audience demographics to specifically tailor my comments. I’d then practice ahead of time for small private groups in order to get the timing and flow down. If something or all of it sucked, I’d throw it out. With the assistance of my wife, I’d even get a plan down for precisely what I was going to wear during at show day. Nothing was left to chance. Finally, I block out an hour before each presentation to check out the stage, be alone with time to center, prepare and calm myself down, and of course continue tweaking slides. Being prepared helped take the edge off my anxiety a lot.

The problem was, or is, that no matter how many times I presented, the anxiety, the fear, and terror never really lessened. That is until this last year. Something changed, but what!? Had I finally overcome? I’m not an introspective person so it wasn’t until very recently that I think I figured it out. In 2011 my public presentations weren’t pushing the envelope as much as in years past. The content was good to be sure, but it also focused on “safe” business level subjects and incrementally advancing work from previous years. In short, I really wasn’t putting myself out there as far as I’m used to. In my case, the feeling or fear and terror arises when pushing forth an idea or a concept and unsure if people will think its uncompelling or totally idiotic. A chance you take.

That’s about when I got a call from the TED offering a speaking slot in TEDxMaui. We got to talking about my work and discussing an idea worth spreading. It didn’t take long. Then all of a sudden I’m thrust right back into fear and terror mode, but now that I understand it, the feeling is almost comforting. It signals that I have an opportunity to take things in my industry, in our industry, to a new level — or of course drive right off a cliff. Either way it’ll be a good show!  🙂

Continue reading Terrified→

I’ve been a UFC fan for years, even before it was acquired by Zuffa. I was fascinated by the anything goes, hand-to-hand form of combat. I suppose it reminded me of growing up in Hawaii. 🙂 The UFC was also enjoyable because it helped answer the question, “What martial-art or fighting style was most effective?” Karate? Kickboxing? Boxing? Wrestling? Ninjutsu? What matters more, size or technique?

The UFC provided a forum, the octagon, to settle the long-standing fight-world debate. Everyone had a theory, but no one really knew for sure. What became crystal clear even today is that every fighter must have a background in Brazilian Jiu-Jitsu or they WILL lose. It’s just that simple. My background was mostly striking, so I wanted to try out this ground fighting stuff.

A co-worker, also interested in the UFC, and I found a local BJJ academy in San Jose taught by black belt instructor Tom Cissero. Tom has a passion for the martial arts and, more importantly, for his students, as he deeply feels that they are a direct reflection upon his life and value as a person. Yes, he takes his craft that seriously, and serious he is. Tom is abrasive, aggressive, and combative, attributes covering up a heart of gold. In the academy Tom will push you hard, harder than any place else, to make you good. Whether you like it or not, and he cares enough to do so. That’s why I stayed with him the better part of a decade.

Anyway, my 6’2” – 300lbs, and let’s face it, seriously fat and way out of shape frame walks in — admittedly with a little bit of big man ego. I see Tom instantly trying to size me up. Of course he had me figured out in all of 5 seconds as you’ll read in a moment. After signing the waver, doing some drills, and learning a couple of submissions I began to familiarize myself with the basic rules and gym etiquette. Then came sparring time. Tom loves the sparring sessions more than anything else. Probably because it measures your progress in stamina and skill.

Tom pairs me up with, and I kid you not, a 150 lbs or less woman in her mid 40’s and says let’s see what you can do. She’s a purple belt with several years of BJJ experience, but I’m thinking to myself WTF!? She’s half my size! I’m going to squash her! Then of course the whole situation is running counter to my internal man moral code, never fight girls. Not being given a choice, but also not wanting to be disrespectful, I decided to go really easy as I didn’t want to hurt her or anything.

The bells sounds, I come slowly forward towards her, she quickly closes the distance, spider monkeys to my back, chokes me, and forces me to tap out inside of 10 seconds flat. I was shocked and a little upset. Here I am going light and she takes advantage of me. Clearly she’s not playing around. To hell with this, no way I’m going to let that happen again! No more Nr. Nice Guy.

We touch hands, signaling to begin again, but I go harder this time trying to put her back on the mat. She again somehow sneaks around under my arm, like an octopus, and chokes me with the same damn move! To my credit, I lasted a few more seconds that time. This scenario repeats for about 4 to 5 minutes in the session, and for the life of me, as big strong guy, I could not keep this tiny older woman off my back and robbing the oxygen from my brain. Oh, and all the while she is speaking to me in a calm instructive voice. Humiliation is the best word to describe.

At the end of class I’m thinking to myself, there is something to this Brazilian Jiu-Jitsu stuff. However, that wasn’t the most important thing to me at that particular moment. There was no way I could go on about my life happily knowing that a such a women could kick my butt so easily. Call it machoism if you like, I don’t care. It was clear to me that I had to keep training BJJ at least long enough to beat her. It only took three years. Fortunately for me by that time the motivation to simply get better and enjoy myself became my primary driver.

By the way, that woman is still training there. So if you are a big guy, and plan to drop by for a visit, don’t say I didn’t warn you. You could quickly find yourself on a journey to becoming a BJJ black belt.

Continue reading How I got my start — in Brazilian Jiu-Jitsu→

I’ve been a UFC fan for years, even before it was acquired by Zuffa. I was fascinated by the anything goes, hand-to-hand form of combat. I suppose it reminded me of growing up in Hawaii. 🙂 The UFC was also enjoyable because it helped answer the question, “What martial-art or fighting style was most effective?” Karate? Kickboxing? Boxing? Wrestling? Ninjutsu? What matters more, size or technique?

The UFC provided a forum, the octagon, to settle the long-standing fight-world debate. Everyone had a theory, but no one really knew for sure. What became crystal clear even today is that every fighter must have a background in Brazilian Jiu-Jitsu or they WILL lose. It’s just that simple. My background was mostly striking, so I wanted to try out this ground fighting stuff.

A co-worker, also interested in the UFC, and I found a local BJJ academy in San Jose taught by black belt instructor Tom Cissero. Tom has a passion for the martial arts and, more importantly, for his students, as he deeply feels that they are a direct reflection upon his life and value as a person. Yes, he takes his craft that seriously, and serious he is. Tom is abrasive, aggressive, and combative, attributes covering up a heart of gold. In the academy Tom will push you hard, harder than any place else, to make you good. Whether you like it or not, and he cares enough to do so. That’s why I stayed with him the better part of a decade.

Anyway, my 6’2” – 300lbs, and let’s face it, seriously fat and way out of shape frame walks in — admittedly with a little bit of big man ego. I see Tom instantly trying to size me up. Of course he had me figured out in all of 5 seconds as you’ll read in a moment. After signing the waver, doing some drills, and learning a couple of submissions I began to familiarize myself with the basic rules and gym etiquette. Then came sparring time. Tom loves the sparring sessions more than anything else. Probably because it measures your progress in stamina and skill.

Tom pairs me up with, and I kid you not, a 150 lbs or less woman in her mid 40’s and says let’s see what you can do. She’s a purple belt with several years of BJJ experience, but I’m thinking to myself WTF!? She’s half my size! I’m going to squash her! Then of course the whole situation is running counter to my internal man moral code, never fight girls. Not being given a choice, but also not wanting to be disrespectful, I decided to go really easy as I didn’t want to hurt her or anything.

The bells sounds, I come slowly forward towards her, she quickly closes the distance, spider monkeys to my back, chokes me, and forces me to tap out inside of 10 seconds flat. I was shocked and a little upset. Here I am going light and she takes advantage of me. Clearly she’s not playing around. To hell with this, no way I’m going to let that happen again! No more Nr. Nice Guy.

We touch hands, signaling to begin again, but I go harder this time trying to put her back on the mat. She again somehow sneaks around under my arm, like an octopus, and chokes me with the same damn move! To my credit, I lasted a few more seconds that time. This scenario repeats for about 4 to 5 minutes in the session, and for the life of me, as big strong guy, I could not keep this tiny older woman off my back and robbing the oxygen from my brain. Oh, and all the while she is speaking to me in a calm instructive voice. Humiliation is the best word to describe.

At the end of class I’m thinking to myself, there is something to this Brazilian Jiu-Jitsu stuff. However, that wasn’t the most important thing to me at that particular moment. There was no way I could go on about my life happily knowing that a such a women could kick my butt so easily. Call it machoism if you like, I don’t care. It was clear to me that I had to keep training BJJ at least long enough to beat her. It only took three years. Fortunately for me by that time the motivation to simply get better and enjoy myself became my primary driver.

By the way, that woman is still training there. So if you are a big guy, and plan to drop by for a visit, don’t say I didn’t warn you. You could quickly find yourself on a journey to becoming a BJJ black belt.

Continue reading How I got my start — in Brazilian Jiu-Jitsu→

Many of you have noticed I haven’t been blogging in several weeks. The truth is I have been blogging, just not here! For those that missed the announcement, WhiteHat Security recently launched a new corporate blog, featuring over a half dozen other WhiteHat bloggers in addition to myself. To support and intermingle with other exceptionally solid posts, I’ve been directing my Web security content over there. If you review the archives you’ll find cool stuff on scaling CSRF identification, DOM-based XSS, Bypassing CSRF tokens with a Flash 0-day, etc.

Here are some of my most recent posts that you may have missed:

• Mythbusting: Static Analysis Software Testing – 100% Code Coverage
• PROTIP: Security as a Differentiator
• PROTIP: Publish Security Scoreboards Internally
• Recent SQL Injection Hacks – Things You Should Know
• If You Want to Improve Something, Measure It
• An Incident Is a Terrible Thing to Waste (even those of others)
• (CYA) Cover Your Applications – All of Them
• The Necessity of Compliance Alone Is Insufficient for Justifying Security Investment
• Theory: Google will open source their Web server — or should
• Are 20% of developers responsible for 80% of the vulnerabilities?

See! I have been blogging. 🙂 Consider updating your RSS feeds.

I’ll continue posting here, only at a much lower volume, and exclusively about personal things like my adventures in Brazilian Jiu-Jitsu.

Continue reading Web security content moving to new WhiteHat Security corp blog→

Many of you have noticed I haven’t been blogging in several weeks. The truth is I have been blogging, just not here! For those that missed the announcement, WhiteHat Security recently launched a new corporate blog, featuring over a half dozen other WhiteHat bloggers in addition to myself. To support and intermingle with other exceptionally solid posts, I’ve been directing my Web security content over there. If you review the archives you’ll find cool stuff on scaling CSRF identification, DOM-based XSS, Bypassing CSRF tokens with a Flash 0-day, etc.

Here are some of my most recent posts that you may have missed:

• Mythbusting: Static Analysis Software Testing – 100% Code Coverage
• PROTIP: Security as a Differentiator
• PROTIP: Publish Security Scoreboards Internally
• Recent SQL Injection Hacks – Things You Should Know
• If You Want to Improve Something, Measure It
• An Incident Is a Terrible Thing to Waste (even those of others)
• (CYA) Cover Your Applications – All of Them
• The Necessity of Compliance Alone Is Insufficient for Justifying Security Investment
• Theory: Google will open source their Web server — or should
• Are 20% of developers responsible for 80% of the vulnerabilities?

See! I have been blogging. 🙂 Consider updating your RSS feeds.

I’ll continue posting here, only at a much lower volume, and exclusively about personal things like my adventures in Brazilian Jiu-Jitsu.

Continue reading Web security content moving to new WhiteHat Security corp blog→

Have you been hearing about WhiteHat Sentinel for a while, but never had the opportunity to try out the service for yourself? We’d like to change that and make Sentinel accessible to more people. We’ve recently announced a new promotion, for those who … Continue reading Sentinel SecurityCheck→

Have you been hearing about WhiteHat Sentinel for a while, but never had the opportunity to try out the service for yourself? We’d like to change that and make Sentinel accessible to more people. We’ve recently announced a new promotion, for those who … Continue reading Sentinel SecurityCheck→

WhiteHat Security’s 11th Website Security Statistics Report, presents a statistical picture gleaned from over five years of vulnerability assessment results taken from over 3,000 websites across 400 organizations under WhiteHat Sentinel management. This represents the largest, most complete, and unique dataset of its kind. WhiteHat Security makes this report available specifically for organizations that aim to start or significantly improve their website security programs, prevent breaches, and data loss.

Top 3 Key Findings (Full list available in the report)

• Most websites were exposed to at least one serious* vulnerability every day of 2010, or nearly so (9–12 months of the year). Only 16% of websites were vulnerable less than 30 days of the year overall.
• During 2010, the average website had 230 serious* vulnerabilities.
• In 2010, 64% of websites had at least one Information Leakage vulnerability, which overtook Cross-Site Scripting as the most prevalent vulnerability by a few tenths of a percent.

Window of Exposure is an organizational key performance indicator that measures the number of days a website has at least one serious vulnerability over a given period of time.

Download the Full Report…

Continue reading 11th WhiteHat Website Security Statistic Report: Windows of Exposure→