Joe FitzPatrick on the Future of Hardware Security Training Sessions

This week Rapid7 welcomes Joe FitzPatrick, a lead researcher at securinghardware.com, as he discusses what it takes to run a successful hardware training session. Read on as he shares how to maintain profitability, how to navigate the challenges of equipment logistics, and how to position training toward what your technical audience really needs to know.

Hardware training without the hardware

A business that runs on talking to large groups of people—as Joe’s does—faces unique operational challenges in pandemic times. As organizations shift toward online learning, Joe recognizes the smart move is to take his hardware training sessions remote. These “Summer Camps” are typically two-day, skills-focused intensives, designed to teach people what they actually want to know, answering concrete questions about command lines and wire hookups. Meandering lectures, on the other hand, tend to delve into technical intricacies that no one is really has much interest in.

Joe notes the demands of hardware training differ from software training. To recreate the proper classroom environment online, he must somehow inculcate technical skills in an atypical environment—to adjust to teaching hardware hacking without the hardware.

Luckily, Joe is a seasoned instructor. Teaching runs in the family—his mother is a technical trainer as well. When she helped him get started introducing people to hardware basics, he found a knack for it. After ditching the big corporate job, he took his training circuit to the likes of Black Hat and the Hardware Hacking Village at DEF CON. He highlights the importance of compliance in training. He frames courses around getting people relevant skills, so it’s not just a series of tasks designated by management to keep employees clicking through. He wants training to be about more than just teaching people how to buy your product.

Equipment woes in the age of Coronavirus

When he can still conduct courses in person, Joe prefers to do so—he was eager to ditch lecture-based learning in favor of a more hands-on approach. But experiential learning requires massive equipment orders. Arranging equipment deliveries proves extra difficult given that the equipment isn’t ever simply returned. So it’s not just a matter of equipping everyone in a class, but equipping everyone in every class taught.

In addition to the lab-based setup demands, logistical challenges abound. China manufactures much of the hardware used in training, and their current supply chain is taxed thanks to COVID-19. Between placing frantic buying orders, coordinating deliveries, and modifying custom boards (we’re not dealing with off-the-shelf product quite yet), acquiring what’s needed is a bear.

Advice for would-be hardware hacking trainers

Essential to leading successful hardware hacking training sessions is planning ahead. Joe advises it’s not enough to dive in and hope to scrape by teaching what you know—you have to think through how to make your particular knowledge base or skill set into a functional business. Whatever your expertise, first ask: who is my audience for this? How many classes would I need to teach per year to turn a profit, and how can I ensure my market is sustainable?

Part of ensuring your business thrives is making sure your skills stay sharp. Even instructors should notice steady improvement over time, and if you’re putting in the work and not getting better, you’re getting worse. Analysis paralysis is a real phenomena—don’t let it bog you down. It’s about experimentation and what’s working on a practical level more than expostulating a thousand different theories.

Listen to the full podcast

Thanks to Joe for taking the time to give us a rundown on new developments in hardware training. Listen to the podcast in its entirety and make sure you subscribe so you don’t miss future episodes of Security Nation.