I have now been playing on the pentesting platform hackthebox for more than a year. I have been in IT security / infosec for a very long time, but I was very late to the offensive party. It still amazes me why that is. Some random thoughts!
I was not really aware of the exact terminology regarding blue and red teams etc. The Public Key Infrastructures I have built are maintained by the 'networking' or 'server' or 'Active Directory' teams, so I had always considered 'security' to be one aspect of the work the architects and network administrators have to do. Maybe I do not even count as 'infosec' - I am just the administrator of all things certificate-related.
I often sided rather with the people who had to maintain the 'security infrastructures' on a daily basis, rather than with consultants (internal or external ones) who tell those administrators how to secure the infrastructure. People keeping infrastructure a the bottom layers of the network afloat are hardly noticed - until something breaks. I had my share of WHO IS RESPONSIBLE THAT THIS WAS NOT WORKING FOR [a time span very very small compared to the time the system was running well despite lots of changes].
In the book Advanced Penetration Testing a seasoned expert states:
All that is needed for an attacker to gain entry to the most secure environments is for one person to have one lapse in judgment one time. I keep driving this point home because it really is the point. As a penetration tester, I have the easy job. An attacker is always at an advantage. I would hate to have the responsibility of keeping a network safe from attack; I'd never sleep.
I think as a security consultant - red or blue, consultant as opposed to sysadmin / 'devops' - it is hard to fully acknowledge all the conflicting requirements and constraints you have to meet when you need to keep things running. I suspect I also helped implementing dumb and insecure things at times, because they were the best trade-off at that time.
Often I found myself pondering on 'opposites', as red versus blue, consulting versus doing, projects versus operations. Should I lecture and comment rather and implement and do? Is commenting and consulting just fence-sitting without skin in the game? I finally decided for more involvement in keeping things running. Actually, I once became a consultant because I feel so terribly responsible for systems and infrastructures also as an external consultant (usually without a long-term formal contract) who is touching that infrastructure once every few months. But every time I was officially responsible for systems it was hardly bearable and moved me nearly over the edge into burnout - I better erect that 'external consulting barrier' to keep me somewhat detached.
I also don' t want to say that offensive roles are 'easier' - far from this! I do not have real-live experience with pentesting, but I imagine it as consulting on steroids: Travelling a lot, chaotic deadlines, all the non-glorious aspects of consulting in general, politics,... Exactly the aspects that made me abandon the nomadic consulting life-style, by the way.
Following infosec experts on Twitter I notice that there is an old debate popping up from time to time: Should 'infosec' be an entry level role, so should you e.g. go straight into security after college, or should you have an experience in other IT and software roles before - as a programmer, system architect, or network administrator? Given my own path I should be in the latter camp, I guess. But on the other hand, again given my own path, I can imagine that you can absolutely become a security expert with dedication and without having spent grueling years, say, fixing clients' my-Outlook-does-not-work issues.
I changed my careers a few times, but I can as well present these transitions as a gradual, logical evolution. I had been a newcomer often, and I people were asking me: How long have you been doing this? It was meant as a compliment, and I avoided to reply with the truth, like: a few months only. When clients considered me a 'PKI guru' I often said that I firmly believe that a student with enough dedication can become that exact type of guru in a year, too.
My blog was originally called Theory and Practice of Trying to Combine Just Anything. I had things like 'Physics and IT' in mind, or 'I had also considered to study philosophy and want to be some sort of renaissance person'. Maybe this is how I have approached security, too: I wanted / want to combine all kinds of experiences. It has been my choice, my path, not necessarily the expression of some career advice that would apply to anybody. Playing at hackthebox always shows me how much I do not know - about IT technologies and pentesting methods and tools. Only very rarely, I can contribute something original, based on something I really know something about - like in the case of my PKI / smartcard hack.
I feel very much that I am dilettante - in a positive sense of what the word actually means.
This website shall finally reconnect with its roots – radices.
With the dawn of the new millennium a self-proclaimed Subversive Element has registered a bunch of domains. It was especially fond of radices.net and subversiv.at. Today, all these sites have been re-united and redirected to elkement.subversiv.at. But the site does not deliver on its promising name – I feel it became way too 'professional' recently. Historical content has been filed mostly under Physics (radices) and Art (subversiv). The category life displays some of the matter-antimatter collisions of these two worlds. Which also explains the category of the current article.
The Subversive Site was a Red Padded Cell, with Font Color = White, a so-called creative playground. The Element was aware that 'everybody' could read this but it did not care. The Merger of the sites was inevitable in the end, after a final detour of professionalization – when radices.net suddenly also hosted pages with IT Security links.
I have been a blogger, and I observed the evolution of other blogs: My anecdotal evidence shows that blogs live for about 1-2 years. If they are bound to survive they have to escape the matrix and to overturn their creators. A personal blog or website needs a 'Big' Idea. OK, not really big, but at least a-all-encompassing and abstract enough so that all the authors different threads and lines of thoughts can be silently tied together using this idea's magic glue.
My elkement.blog is relentlessly edited (Voice from the future: Soon there will be no distincion anymore between 'this website here' and 'the blog over there'. It was a more philosophical site once, but I aim at following our punktwissen principles now. Articles should be concise, provide value, and perhaps also entertainment. There should be s logical connection between posts and my curated lists should help readers to find something 'useful'.
On the contrary, this site has more or less the same article over and over again – perhaps in disguise and interlaced with technical notes. It is all about my personal keeping the essence of Physics alive and useful for me. Since radices was originally a German-only science and philosophy site, the English version might not reflect this – but in the early articles on elkemental Force (at that time: Theory and Practice of Trying to Combine Just Anything) I recaptured these ideas.
So I do finally accept this – let elkement.subversiv.at have its way. This is elkement's personal site, and its primary topic is How To Learn About Physics And Why This Might Be Useful Or Even Edifying In Very Different Ways.
- Learning physics means to start somewhere in the middle. That's why a first Introductions to Physics lecture is always hard (if the lecturer has some modest mathematical aspirations). You need to look at the same phenomena from different angles, and only after a while – and some work – everything will fall into place. This process and journey of learning is rewarding in itself.
- The more related to mathematical foundations (of physics) a question is, the less googleable the answer is. You can find anecdotes, and examples, science sound-bites for entertainment. Of course you find awesome lecture notes to learn the fundamentals from Feynman Lectures to Landau-Lifshitz – but you need to 'learn' them. In contrary to the mantra of You Just Need to Know Where to Find Something (like: Google for error messages) I believe that really knowing about fundamentals without googling helps a lot with problem solving: You can walk through how a system should work, just using the resources in your head.
- Mathematics purges the brain, and this does not only help with mathematical problem solving. So I believe that the hackneyed problem-solving skills of science graduates are real (albeit it is difficult to assess the self-selecting nature of STEM degrees for people with natural 'analytical' skills). But the caveat it: Years of corporate work, powerpoint slides, office politics, distractions, pressure to deliver ad hoc can erode these skills. I have long-term tested different methods to keep physics knowledge alive and usable - and learned now that science might even provide some evidence, in a sense.
- I have been in 'cyber security' for a while and I have written lots of gloomy articles about our new smart world of automation and where everything (including heating systems) is turned into cloud-based services. Thoughts on all of this is still work in progress, I am working on internal consistency and unambiguity. I came into the world of IT as an experimental physicist, I was applying my training of troubleshooting complex 'analog systems' to digital systems. Despite the myth of crystal-clear 0s and 1s it was often better to treat them as blackboxes. I lacked the typical computer nerd's / enthusiast's background and started late – playing with Microsoft systems and Office VBA and the like. In spite of this Treat-as-a-Blackbox approach I like to understand as much as possible about a system. Yes, I know you cannot understand, yet build, a power plant, from knowing how to solve Maxwell's Equations (yet understand or solve issues in cyber security related to such power plants). Nevertheless, if I have the choice to understand something at all, I'd pick Maxwell's Equations.
Since years I am using an (angry) dinosaur as my web and blog logo. The dinosaur is from another era, and sometimes it cannot deal with 'modern' concepts of our 'smart', 'networked' world. But perhaps, it was part of this world for a while in order to overcompensate.
Now the dinosaur is getting more and more confident that its typical dinosaur activities might be more productive and positive than it thought before.
On science and technology
- I believe there is often a simpler, a more low-tech solution to a problem technology is thrown on.
- I sometimes call myself a geek but I don't understand this 'geek' movement of cheering science and technology - without any desire to learn any of the details.
- I prefer to work on seemingly mundane problems that somebody really wants me to solve right now.
- This explains why I discarded inquiries to participate in and profit from governmentally funded research projects.
- Yet, I often find a universe of intriguing puzzles when mulling upon a 'simple' problem.
- Learning about theoretical physics has a mind purging effect: It helps, no matter if I ever need the math directly.
On business and life
- If a business relationship does not work without a written contract, it does also not work well with one.
- Don't follow any advice by strategists and experts, especially if their primary role is to act as consultants and not as doers.
- If somebody has an opinion on something, I judge them on Skin in the Game, hands-on experience, and education - in that order. I keep this in mind when voicing my own opinions.
- I don't pay for leads - I endorse other for free, and I am endorsed for free. Not necessarily on a 1:1 basis.
On the internet
- The greatest internet-powered innovation in the workplace I have encountered is to work remotely.
- I am grateful that I started writing online before there were Likes and Comments. The point of writing online is to hold yourself accountable because others could read this on principle, not because you need feedback.
- The internet sharing paradox: The more information you share for free, the more requests for free information you get. Learning to say No is a key skill.
- No matter how eclectic you think your combination of specialties is - you will find people on the internet featuring the same combination. Just better. It's humbling and this is a good thing.