I will try to explore my relationship with IT / software / computers / computer science / software engineering or whatever the best term is to describe it. I am in a mode of looking back with content, and making small changes, learning a bit more.
As often, thinking in 'opposites' comes most natural to me:
Self-study versus formal education. The IT and software industry is young and - I believe - had originally been populated by people without a formal training in computer science as this did not yet exist as an academic discipline. The community was open to outsiders with no formal training or unrelated experience. As a former colleague with a psychology background put it: In the old times, anybody who knew how to hold a computer mouse correctly, was suddenly considered an expert.
I absorbed the hacker ethics of demonstrating your skills rather than showing off papers, and I am grateful about the surprisingly easy start I had in the late 1990s. I just put up a sign in a sense, saying Will Do Computers, and people put trust in me.
I am not 'against' formal education though. Today I enjoy catching up on computer science basics by reading classics like Structure and Interpretation of Computer Programs.
Breaking versus building things. I have been accountable for 'systems' for a long time, and I have built stuff that lasted for longer than I expected. Sometimes I feel like a COBOL programmer in the year of 2000.
But I believe what interested me most is always to find out how stuff works - which also involves breaking things. Debugging. Reverse Engineering. Troubleshooting. All this had always been useful when building things, especially when building on top of or interfacing with existing things - often semi-abandoned blackboxes. This reverse engineering mentality is what provided the connection between physics and IT for me in the first place.
It was neither the mathematical underpinnings of physics and computer science, or my alleged training in programming - I had one class Programming for physicists, using FORTRAN. It was the way an experimental physicist watches and debugs a system 'of nature', like: the growth of thin films in a vacuum chamber, from a plasma cloud generated by evaporating a ceramic target bombarded with laser pulses. Which parameter to change to find out what is the root cause or what triggers a system to change its state? How to minimize the steps to trace out the parameter space most efficiently?
Good-enough approach versus perfectionism. 80/20 or maybe 99/1. You never know or need to know anything. I remember the first time I troubleshooted a client's computer problem. I solved it. Despite knowing any details of what was going on. I am sort of embarrassed by my ignorance and proud at the same time when I look back.
In moment like this I felt the contrast between the hands-on / good-enough approach and the perfectionism I applied in my pervious (academic) life. I remember the endless cycles of refinement of academic papers. Prefixing a sentence with Tentatively, we assume,... just to be sure and not too pretentious though I was working in a narrow niche as a specialist.
But then - as a computer consultant - I simply focused on solving a client's problem in a pragmatic way. I had to think on my feet, and find the most efficient way to rule out potential root causes - using whatever approach worked best: Digging deep into a system, clever googling, or asking a colleague in the community (The latter is only an option if you are able to give back someday).
Top-down, bottom-up, or starting somewhere in the middle. I was not a typical computer nerd as a student. I had no computer in high school except a programmable calculator - where you could see one line of a BASIC program at a time. I remember I had fun with implementating of the Simplex algorithm on that device.
However, I was rather a user of systems, until I inherited (parts of) an experimental setup for measuring electrical properties of samples cooled down by liquid nitrogen and helium. I had to append the existing patchwork of software by learning Turbo Pascal on the job.
Later, I moved to the top level of the ladder of abstraction by using *shock, horror* Visual Basic for Applications, ASP, and VBScript. In am only moving down to lower levels now, finally learning C++, getting closer to assembler and thus touching the interface between hardware and software. Which is perhaps where a one should be, as a physicist.
Green-field or renovation (refactoring). I hardly ever had the chance to or wanted to develop something really from scratch. Constraints and tough limiting requirements come with an allure of their own. This applies to anything - from software to building and construction.
So I enjoy systems' archaeology, including things I have originally created myself, but not touched in a while. Again the love for debugging complements the desire to build something.
From a professionals' point of view, this is a great and useful urge to have: Usually not many people enjoy fiddling with the old stuff, painstakingly researching and migrating it. It's the opposite of having a chance to implement the last shiny tool you learned about in school or in your inhouse presentation (if you work for a software vendor).
In awe of the philosophy of fundamentals versus mundane implementation. I blogged about it recently: Joel Spolsky recommended, tongue-in-cheek, to mention that Structure and Interpretation of Computer Programs brought you to tears - when applying for a job as a software developer.
But indeed: I have hardly attended a class or read a textbook that was at the same time so profoundly and philosophically compelling but also so useful for any programming job I was involved in right now.
Perhaps half of older internet writing reflects my craving for theses philosophical depths versus the hard truth of pragmatism that is required in a real job. At the university I had been offered to work on a project for optimizing something about fluid dynamics related to the manufacturing of plastic window frames. The Horror, after I had read Gödel, Escher, Bach and wanted to decode the universe and solve the most critical problems of humanity via science and technology.
I smile at that now, with hindsight. I found, in a very unspectacular way, that you get passionate about what you are good at and what you know in depth, not the other way round. I was able to possibly reconnect with some of my loftier aspirations, like I could say I Work In Renewable Energy. However, truth is that I simply enjoy the engineering and debugging challenge, and every mundane piece of code refverberates fundamental truths as the ones described in Gödel, Escher, Bach or Structure and Interpretation.
Since 2012 I have published PKI status updates here, trying to answer the question 'Do you still do PKI?' (or IT). I have re-edited them often, and my responses were erratic - I was in a Schrödinger-cat-like superposition state of different professional identities.
Now and then I still get these questions. Can I answer it finally? I am still in a superposition state - I don't expect the wave-function to break down any time soon. I enjoy this state! But my answer to IT-related requests is most often no.
So yes, I am still 'working with IT' and 'with IT security' professionally. Not necessarily 'in IT'.
I am supporting a few long-term clients with their Windows PKI deployments and related X.509 certificate issues (after having done that for more than 10 years exclusively). Those clients that aren't scared off by my other activities, and clients I had always worked with informally and cordially. But I don't have any strong ties with specific PKI software vendors anymore, and I don't know about latest bugs and issues. So I don't present myself as a Windows PKI consultant to prospects, and I decline especially requests by IT security partner companies who are looking for a consultant to pitch or staff their projects. I am also not interested in replying to Request for Proposals for PKI or identity management and 'offering a solution', competing with other consultants and especially with other companies that have full time stuff doing business development (I hardly did this in my PKI-only time). I am not developing software anymore that might turn into an 'enterprise solution'.
Today I am working 'with IT' more than 'in IT' in the sense that I returned where I came from, as an applied physicist who was initially drawn into IT, armed only with experience in programming software for controlling experimental setups and analyzing my data: I call myself the 'theoretical department' of our small engineering consultancy - I am developing software for handling Big Monitoring Data. I am also tinkering with measurement technology, like connecting a Raspberry Pi to a heat pump's internal CAN bus.
Security is important of course: I have fun with awkward certificates on embedded devices, I sniff and reverse engineer protocols, and I could say I am working with the things in the Internet of Things. But I am not doing large-scale device PKIs or advising the IT departments of major engineering companies: My clients are geeky home owners, and we (the two of us) are planning and implementing our special heat pump system for them. An important part of such projects is monitoring and control.
So every time I feel that somebody is searching for 'a PKI consultant' I am the wrong person. But if somebody stumbles upon my CV or hears my story at full length - and absolutely wants to hire me just because of the combination of this - I might say yes.
But it is no good rationalizing too much: Finally it is a matter of gut feeling; I am spoilt or damaged by our engineering business. Our heat pump clients typically find our blog first - which has been mistaken for a private fun blog by friends. Prospects are either 'deflected' by the blog (and we never hear from them), or they contact us because of the blog's weird style. Having the same sense of humor is the single best pre-requisite for a great collaboration. So whenever I get any other project request, not mediated by a weird website, I try to apply the same reasoning. Years ago I a colleague I had not met before greeted me in the formal kick-off meeting, in front of all others, with: You are the Subversive Element, aren't you? (Alluding to my Alter Ego on subversiv.at). That's about the spirit I am looking for.
radices is roots in Latin. And accidentally there is a pun, perhaps as hackneyed as roots of all evil. As a security consultant I built lots of Root CAs, the top anchor in the hierarchies that are called Public Key Infrastructures.
radices.net shall now be dedicated to what online gurus and internet philosophers call curating today. Which means I just dump links to stuff I am interested in to add some basic structure of headers. radices was a German science pseudo-blog but it also was an experiment in organizing content - so I have come full circle.
About my PKI activities
I had been a PKI consultant since 2002, mainly working with European enterprise customers on designing and implementing their PKIs run inhouse. Now I am supporting some long-term existing clients with their PKI / X.509 issues but I don't take on new clients.
As a former Microsoft employee I have focused mainly on the Microsoft PKI, versions Windows 2000 / 2003 / 2008 / R2 / 2012 R2 - but I also had some exposure to various other PKI-enabled applications and devices. The fun part of PKI projects is in debugging weird issues that exotic or allegedly 'industry-grade' applications have with validating certificate paths, using keys etc.
- I try to keep track of links, books, papers etc. I found useful and add them to this list. This is not intended to be the perfectly structured, 'educational' collection. I rather pick and add what I stumbled upon while working on PKI issues or discussing with other security freaks.
- I started logging PKI issues here. The idea is to described them most concisely, in TXT format.
- Struck by vanity I made the collection of my modest own contributions a page in its own right. I am also trying to keep track of my postings to security forums in order to use those as my knowledge base.
I am originally a physicist (completed PhD in 1995), worked in R&D and switched to IT security. In 2013 I have completed another master's degree called Sustainable Energy Systems and did a master thesis on smart metering and security (LinkeIn profile). Now I am consulting engineer working with heat pumps that use a special heat source. Yes, I know - it is weirder to combine that with PKI.
The security of the smart grid and internet of things [add more buzz words here] provide options to re-use my security know-how in the context of my new field. Such heat pumps may use control units connected to 'the internet' and all kinds of certificate-/PKI-enabled stuff might be involved here.
For five years I have given a yearly lecture in a master's degree program, then called Advanced Security Engineering at FH Joanneum. Here is the last version of the slides.