There are stories of Tiger Woods hitting 1,000 balls at the range without a break. And of Jason Williams practicing dribbling for hours on end without ever shooting a ball.

That’s how you become an expert. That’s how you get amazing results.

At least in some fields.

I'm wondering...what would that be in #infoSec? In #programming?

Deliberate practice ( is mostly built off of 4 criteria:

  1. Designed and evaluated by an expert
  2. Stretches you and is uncomfortable
  3. Requires your total concentration
  4. Consists of a lot of repetition

Usually, it comes down to exercising one aspect of something. If you want to get good at drawing people, don't just draw 100 people. Draw 100 eyes. 100 noses. 100 hands.

If you want to get good at putts, make 100 putts. From the same spot. Then move a little. And make 100 more putts.

What types of deliberate practice do we have in the tech industry?

Here's a d00d starting up something involving deliberate practice for programmers:

And another one, this time by John Sonmez who's well known in the learning-to-program spheres

@estoricru We may actually be shying away from deliberately practicing things by automating the boring stuff. Food for thought.

@estoricru In my case, I taught myself programming from learning BASIC and Z80 assembly language using magazine listings. Then, I'd ask, "I'd like to make a program to do X.", and try to do it. And fail. And then I'd get quite upset about it (still do to this day, in fact). And then I'd try again.

I've been trying to build my own homebrew computer since 2004. Still don't have what I'm *really* after. I'm *still* pursuing that dream though.

@estoricru @chuck code katas; relatively simple problems with constraints that exercise a particular programming skill

@estoricru For coding, I would say that code golf qualifies. Hacking on little, not really useful stuff as a way of flexing your mind and coming up with new ways of doing things, or at least thinking about the problems.

Also, the time-honored tradition of re-implementing stuff so you can get a better handle on what all goes into it. I wrote Systembot for that reason - system monitoring was getting to me because I didn't have a good mental model of how it worked, so I wrote my own.

From the security side, maybe crackmes and online CTFs would qualify as deliberate practice.

@estoricru Some untested ideas,

Write proof of concept for well known vulns. Read specs, look for flaws. Read sourcecode like you woukd a technical book - looking for patterns and structures. Try to pull snippets out of code and unit test them, or write a fuzzer for their inputs. Make a list of pet peeves for a favorite app and see if you can fix one. Pick up a new library and make toys - literal toys, stuff a kid might like to play with, extra sparkly.

@estoricru The thing that makes this deliberate is that you are spending regular hours, with the work tools, in the mental zone of 'wtf even is this' just barely outside of the comprehensible, tripping over edge cases.

@feonixrift Generally deliberate feedback is a specific thing where you practice a specific aspect and get feedback to improve it. Like putting from the same distance towards a hole 1000 times. Shooting from the 3 pint line 1000 times, etc.

@estoricru Ok so that's gonna differ, but... a. 'got the proof of concept to work on n vulnerabilities of class X' is pretty much exactly that, and b. there are plenty of high skill crafts that don't provide that at all yet are amenable to deliberate practice so long as your own mind and body are put through paces with continual attention. I think feedback here is in the neural network sense, not the homework grade sense, so reducing it to a single metric would pitch out continual contextual cues.

Sign in to participate in the conversation

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.