I have now been playing on the pentesting platform hackthebox for more than a year. I have been in IT security / infosec for a very long time, but I was very late to the offensive party. It still amazes me why that is. Some random thoughts!
I was not really aware of the exact terminology regarding blue and red teams etc. The Public Key Infrastructures I have built are maintained by the 'networking' or 'server' or 'Active Directory' teams, so I had always considered 'security' to be one aspect of the work the architects and network administrators have to do. Maybe I do not even count as 'infosec' - I am just the administrator of all things certificate-related.
I often sided rather with the people who had to maintain the 'security infrastructures' on a daily basis, rather than with consultants (internal or external ones) who tell those administrators how to secure the infrastructure. People keeping infrastructure a the bottom layers of the network afloat are hardly noticed - until something breaks. I had my share of WHO IS RESPONSIBLE THAT THIS WAS NOT WORKING FOR [a time span very very small compared to the time the system was running well despite lots of changes].
In the book Advanced Penetration Testing a seasoned expert states:
All that is needed for an attacker to gain entry to the most secure environments is for one person to have one lapse in judgment one time. I keep driving this point home because it really is the point. As a penetration tester, I have the easy job. An attacker is always at an advantage. I would hate to have the responsibility of keeping a network safe from attack; I'd never sleep.
I think as a security consultant - red or blue, consultant as opposed to sysadmin / 'devops' - it is hard to fully acknowledge all the conflicting requirements and constraints you have to meet when you need to keep things running. I suspect I also helped implementing dumb and insecure things at times, because they were the best trade-off at that time.
Often I found myself pondering on 'opposites', as red versus blue, consulting versus doing, projects versus operations. Should I lecture and comment rather and implement and do? Is commenting and consulting just fence-sitting without skin in the game? I finally decided for more involvement in keeping things running. Actually, I once became a consultant because I feel so terribly responsible for systems and infrastructures also as an external consultant (usually without a long-term formal contract) who is touching that infrastructure once every few months. But every time I was officially responsible for systems it was hardly bearable and moved me nearly over the edge into burnout - I better erect that 'external consulting barrier' to keep me somewhat detached.
I also don' t want to say that offensive roles are 'easier' - far from this! I do not have real-live experience with pentesting, but I imagine it as consulting on steroids: Travelling a lot, chaotic deadlines, all the non-glorious aspects of consulting in general, politics,... Exactly the aspects that made me abandon the nomadic consulting life-style, by the way.
Following infosec experts on Twitter I notice that there is an old debate popping up from time to time: Should 'infosec' be an entry level role, so should you e.g. go straight into security after college, or should you have an experience in other IT and software roles before - as a programmer, system architect, or network administrator? Given my own path I should be in the latter camp, I guess. But on the other hand, again given my own path, I can imagine that you can absolutely become a security expert with dedication and without having spent grueling years, say, fixing clients' my-Outlook-does-not-work issues.
I changed my careers a few times, but I can as well present these transitions as a gradual, logical evolution. I had been a newcomer often, and I people were asking me: How long have you been doing this? It was meant as a compliment, and I avoided to reply with the truth, like: a few months only. When clients considered me a 'PKI guru' I often said that I firmly believe that a student with enough dedication can become that exact type of guru in a year, too.
My blog was originally called Theory and Practice of Trying to Combine Just Anything. I had things like 'Physics and IT' in mind, or 'I had also considered to study philosophy and want to be some sort of renaissance person'. Maybe this is how I have approached security, too: I wanted / want to combine all kinds of experiences. It has been my choice, my path, not necessarily the expression of some career advice that would apply to anybody. Playing at hackthebox always shows me how much I do not know - about IT technologies and pentesting methods and tools. Only very rarely, I can contribute something original, based on something I really know something about - like in the case of my PKI / smartcard hack.
I feel very much that I am dilettante - in a positive sense of what the word actually means.
I have had a section called Philosophy on my very first website, and I have maintained a page called Principles or Our Approach ever since. It sounds as if those principles had been decreed at one point in time. As if aliens from outer space had dictated them.
However, I could simply say this: Since decades I play with technology, science, engineering, IT and everything in between. I worked in different industries. Each of them had good and bad aspects - regarding the actual subject matter and re the way of working. My main goal and hidden agenda was to every evolve but keep the good and interesting aspects of each of them. I could spin a story about how everything fits into a grand and big picture, and it is not even wrong.
But it's a good exercise to look at everything as disjointed pieces. At some point in your life that stories should speak for themselves. I am running my own business now for a long time; I don't have to explain and justify how everything fits together - as if it was part of a great plan.
In no particular order, and without aiming at completeness...
Like the Cobol mavericks at the turn the last millennium, I support legacy Windows Public Key Infrastructures. I have migrated them over and over and over. I don't pretend I know all the latest buzz words but it seems I can catch up quickly and connect the dots.
I am herding all the software tools related to sizing heat pump systems, related numerical simulations, and data analysis - the so-called Data Kraken. I could call myself a software developer - I use languages from VBA to C++, and I use pointers and recursion now and then. But I don't mind if somebody insists this on this being 'just scripting'.
I have been doing down-to-earth IT system administration for one small business - my second ever customer, loyal since more than two decades.
I get Ask-me-anything questions related to How Stuff Works and If That Stuff is Secure or If That Stuff Can Work at All. For some of that advice people even want to pay.
If you ask what real physics I actually use, I'd say Heat Conduction. Accidentally (?) it was one my specialties at the university, a long time ago.
I work mainly remote. It's more efficient, it's cheaper for clients, I don't have to travel, everybody is more focused. I don't do political projects (anymore).
I enjoy to find the pragmatic middle ground. I don't take as gospel: Software design patterns, methodologies, engineering standards, compliance guidelines, best practices, 'what everybody says', 'what everybody does just to be on the safe side'.
Taking stock of what I had done so far, I found that two things were part of all my endeavors: Teaching/training and software development. I have also been a student in parallel, most of the time. After I gave an academic lecture about PKI for a few years, I ditched formal teaching, and having completed another master's degree I also stopped collecting degrees and certificates.
Since a while I am catching up on computer science basics in self-study mode, and this year I have discovered the joys of pen-testing.
I did not have ambitions 2017. It should have been a year of taking stock - and it was, in a good way.
- I time-travelled and re-lived some history of software engineering, and finally learned basics of computer science. This was philosophical delight, but also useful and necessary: I was able to boost the performance of my simulations (above a level of what was, maybe, embarrassingly slow).
- I tinkered a lot with numerical simulations of our heat pump system. Main thing I learned: The more modern the building, the more you'd need to simulate humans' behavior, rather than physics or control logic.
- Reverse engineering and troubleshooting is what finally connects all the fields of science and engineering I love: Troubleshooting, ferreting out hidden causes and effects in hydraulics feel the same as sniffing and debugging software and networking protocols.
- Theoretical physics reading: I returned to classical thermodynamics and statistical mechanics; I find it fascinating and beautiful in its own right, even if only at the pre-1960s level. I took stock of my writing on heat transport - and I am happy I can actually really use physics on a daily basis, in down-to-earth engineering projects.
- I was thinking about automation, standardization, and big social media platforms. I struggled with this blog post about the future of small business for a long time, but optimism won. I might frame this even more positively today: There is a place for artisanal service delivery despite or because of Everything Being Offered As A Service by Omniscient Data Krakens.
- My blog turned 5 in spring, and I allowed myself to return to a more philosophical blogging style (briefly). Otherwise, I finally and subconsciously made the elkement.blog my main resources of technical content - or at least content related to my professional domain, and content edited for clarity and entertainment. Whereas on elkement.subversiv.at I let my stream of consciousness flow. It seems that the pattern that finally emerges is: elkement.blog = elkement's tech / science magazine and platform for personal research news, with an ever growing focus on fields I have training in and daily practical exposure to. elkement.subversiv.at gravitates against the same focus, but I allow myself to focus on my personal perspective only. So here you find 'what I am doing with [insert: heat pumps, security,...]', over there you find the useful content as such.
- Tomato harvest was great. I tried to grow late varieties - like Ox Heart - directly outside, and it worked.
- Dinosaur Kale tastes good. And it is able to recover from a at attack of a bug that targets kale (and radishes' seed capsules). Don't try to keep seeds of radishes in the land of canola.
This website is an old-school non-interactive site. My blog technically isn't, but looks like one now, for the lack of visible comments. However, messages have reached over covert 1:1 channels, so I do now that there is a small but sincerely interested group of readers. I thank you all for reading my stuff!
I have been blogging 'seriously' about physics since 2012. My motivation has been a blend of jotting down notes on interesting things I've just found, conveying my decades-old fascination with some phenomena, trying my hands at popular science writing, and reporting on my own research.
Today I am asking myself - did I learn anything from that on a meta level? To read myself, I am re-arranging the list of my physics posts and sort them by topic and sub-topic. The list says it all, I think.
I wanted to write about quantum mechanics, but it seems I was always most intrigued by classical mechanics, statistical mechanics, and thermodynamics. The latter has become my true home in physics - which has come as a surprise to myself. Yes, thermodynamics is my specialization, but years ago I rather figured that this is my job, and I rather want to follow the latest news on quantum information and particle theory in my spare time. It turned out that I am more interested in history of physics and in the evolution of concepts that are now 'well known'.
My recurring meta-topic is that classical mechanics / thermo can be as interesting, 'geeky' if you wish, mathematically 'weird', and surprising as fields that seem to be more popular.
This list may remain a static snapshot. I am editing the chronological list of my physics posts here on the blog. This list might lseem to lack some of my more applied / engineering postings, re our heat pump system and data. These are here.
(Voice from the future: Soon there will no separate 'blog' and 'website' anymore - all is being united and merged...
Thermodynamics and Statistical Mechanics
Concepts and foundations
Random Thoughts on Temperature and Intuition in Thermodynamics
Time evolution of systems in phase space: On the Relation of Jurassic Park and Alien Jelly Flowing through Hyperspace.
Phase-space in depth: Hyper-Jelly – Again. Why We Need Hyperspace – Even in Politics.
Carnot’s efficiency, irreversibility, proof by contradiction, paradoxes: Re-Visiting Carnot’s Theorem.
Mathematics used in statistical mechanics: Spheres in a Space with Trillions of Dimensions.
Heat pump basics
Brief explanation, absolute temperature:
Why Do Heat Pumps Pump Energy so Easily?
Coefficient of Performance of a heat pump: An Efficiency Greater Than 1?
Cross-check of numbers for a large heat pump system: Pumped Heat from the Tunnel
COP versus Performance Factor: How to Evaluate a Heat Pump’s Performance?
Energy accounting, economics: Heat Pump System Data: Three Seasons 2012 – 2015.
Heat conduction, diffusivity, latent heat:
Storage Challenge: High Score!
Heat conduction, heat equation: Temperature Waves and Geothermal Energy.
Heat diffusion length: Rowboats, Laser Pulses, and Heat Energy (Boring Title: Dimensional Analysis).
Simple version, daily energy balances:
More Ice? Exploring Spacetime of Climate and Weather.
Heat transport, energy balances. Simulations versus simple energy accounting: Ice Storage Hierarchy of Needs.
Detailed version: Heat exchangers, heat equation, 1-minute time slots: Simulating Peak Ice.
Thermodynamics and energy basics, dimensional analysis
kW and kWh.
No, You Cannot ‘Power Your Home’ by One Hour of Cycling Daily.
Phase transitions, ideal gas law (pressure sensor) Mr. Bubble Was Confused. A Cliffhanger.
kWp, power, energy, energy flow: On Photovoltaic Generators and Scattering Cross Sections.
History and inventions
Einstein’s Refrigerator and other inventions:
Einstein and His Patents
Centennial light bulb, sustainability: 111 Years: A Shining Example of Sustainable Product Development?
Checking 19th century papers: Peter von Rittinger’s Steam Pump (AKA: The First Heat Pump).
Phase transitions of water, Mpemba effect: A Sublime Transition.
By an Austrian start-up – pressure gradient created by centrifugal forces: And Now for Something Completely Different: Rotation Heat Pump!
(I realize that some of my articles in the 'engineering' category would also qualify for this sub-category History. For example: I wrote a - less detailed - post on Rittinger's steam pump before. But part of the fun with these list is that you have to take those hard decisions of tagging ...)
Classical Mechanics and Fluid Dynamics
Equations of motion and Lagrangian formalism
Principle of Least Action.
Sniffing the Path (On the Fascination of Classical Mechanics)
Equation of motion, intuition in physics: Are We All Newtonians?
Motion of a falling slinky spring: The Falling Slinky and Einstein’s Elevator.
Principle of Least Action, again – extended version: Space Balls, Baywatch and the Geekiness of Classical Mechanics.
From Newton’s Law to Navier-Stokes Equations: Non-Linear Art. (Should Actually Be: Random Thoughts on Fluid Dynamics).
Estimates related to the physics of scything:
Grim Reaper Does a Back-of-the-Envelope Calculation.
Back-of-the-envelope cross-checks, hydro power: All Kinds of Turbines.
Torque, forces, precession, nutation.
The Spinning Gyroscope and Intuition in Physics.
Another way to explain how the gyroscope works: Intuition and the Magic of the Gyroscope
Coriolis force (1): The Twisted Garden Hose and the Myth of the Toilet Flush:
Coriolis force (2). Lest We Forget the Pioneer: Ottokar Tumlirz and His Early Demo of the Coriolis Effect.
Physics and geometry
My first (later corrected) proposal of a solution:
Physics / Math Puzzle: Where Is the Center of Mass?
Correcting my earlier proposal: Revisiting the Enigma of the Intersecting Lines and That Pesky Triangle.
Newton’s geometrical proof of Kepler’s laws: Mastering Geometry is a Lost Art.
Quantum Mechanics and Quantum Field Theory
Interpretations of quantum mechanics:
Is It Determinism if We Can Calculate Probabilities Exactly?
Quantum Mechanics versus QFT: Quantum Field Theory or: It’s More Than a Marble Turned into a Wiggly Line.
Started a series: And Now for Something Completely Different: Quantum Fields!
Summary on QM: May the Force Field Be with You: Primer on Quantum Mechanics and Why We Need Quantum Field Theory
Quantization – starting from statistical mechanics: On the Relation of Jurassic Park and Alien Jelly Flowing through Hyperspace.
Path integrals and symmetries: Learning Physics, Metaphors, and Quantum Fields.
Book review: Student Friendly Quantum Field Theory.
Electromagnetism and special relativity
Unification of Two Phenomena Well Known.
Charged particles lose energy when accelerating: Why Fat Particles Radiate Less.
An alternative way of understanding SR: How to Introduce Special Relativity (Historical Detour).
List of resources: Learning General Relativity.
Using physics-like methods in economics and sociology
Networking theory, instabilities:
Theory and Practice of Trying to Combine Physics with Anything
E-Mails and communications: Using Social Media in Bursts. Is. Just. Normal.
‘Philosophical’: Learning physics, culture
On trying to explain physics without math:
Real Physicists Do Not Read Popular Science Books
Re The Trouble with Physics by Lee Smoli:. I neither Met Newton nor Einstein
On learning physics. Stupid Questions and So-Called Intuition.
Re Margaret Wertheim’s Physics on the Fringe Physics Paradoxers and Outsiders.
Physics as Therapy (1) In Praise of Textbooks with Tons of Formulas (or: The Joy of Firefighting).
Physics as Therapy (2) Ploughing Through Theoretical Physics Textbooks Is Therapeutic.
(This has been written when our blogs have still been separate websites hosted elsewhere.)
I start a radical experiment: Opening my blog's editor, and typing what I think right now - however, planning to never publish it to WordPress.
Contrary to what seems to motivate many freshly minted bloggers, and netizens inhabiting social web worlds in general, feedback and interaction had not been my primary goal. The appeal of writing 'in public' is that on principle somebody could read what you wrote, that the internet never forgets, and that you have to hold yourself accountable to what you wrote. Have to endure reading what you wrote when you were a different being.
The joy of my early web projects was also their subversive, semi-secret, and pseudonymous nature. Online spaces were wild places, blank sheets of paper, laid before me to hone my ideas.
There is another motivation for writing online, and this is as unrelated as possible from the philosophical approach: I enjoy crafting technical arguments, documentation of technical projects, 'science writing' because I want to force myself to turn my thinking into a consistent linear thread. I want to challenge my own ideas, find the loop holes in my own arguments. I know that my blog articles may be either boring or opaque or both unless the reader has explicitly searched for content like that. But actually the latter audience is who I am perhaps writing for: I have found so much useful tech / science stuff online, for free and in sublime quality, for my professional work, my own education, my pleasure of reading - and I do not want to remain on the receiving end of this communication only.
My second motivation is tied to a minimum level of 'feedback' - page views by fellow geeks - only seems to work for my articles written on our German blog: We only blog about two times a month now, but despite the smaller theoretical audience of German speaking readers the other blog has much more views, and views are still increasing. My English blog has fallen in oblivion again after I blog only twice a month and/or after I focussed more and more on energy, heat pumps, and down-to-earth engineering and physics of everyday life.
These are my personal recent top articles in the Physics / History of Science category so far:
- Peter von Rittinger’s Steam Pump (AKA: The First Heat Pump)
- Rowboats, Laser Pulses, and Heat Energy (Boring Title: Dimensional Analysis).
- Hacking My Heat Pump – Part 2: Logging Energy Values
- How Does It Work? (The Heat Pump System, That Is)
When I blogged about quantum theory, basic and un-original as my articles might have been, my blog was 'viral' in comparison to that.
But ironically, a silent blog brings me closer to my other goal: Using the silent online space to write just for me, holding myself as accountable as possible though. Last year I had overhauled this / these website(s) here, and it turned more into a blog. Now I finally know what the purpose of having effectively two blog(-like) sites are:
Here, I give myself permission for introspection and self-centered updates. I don't share subversiv.at links anywhere on social media. If somebody wants to reads this, he or she really has to be determined and go to the 20th page of Google search results. There is no interaction. Of course this is also a consequence of my minimal web programming, but feedback can be blessing and curse. You (or maybe only: I) tend to write more about what 'people have liked before', or at least you feel a little bit guilty if you expose your loyal readers to something unusual - which turns each new post into a challenge, one you'd like to dodge sometimes. My writing self is quite 'authentic' here, in modern parlance.
But I don't want to appear fake on my real blog, the one that has much more content that this page, much more carefully crafted, and I don't want my blog to die. My solution has been - since a few months, I am only post-rationalizing now - to stay away from the autobiographical, from opinions, from philosophical, from big ideas ... and to focus on hard things. The stuff I do really know. I think The Internet would be a better place, if people would only post or comment if they 1) had through education on the subject, 2) practical experience with it, and 3) skin in the game - being personally exposed to risks and consequences arising from putting their opinions into practice. (In reverse order.)
So on my blog I just try to be useful (hopefully) to some tech and science enthusiasts, and perhaps a bit entertaining. If I will ever find a more useful 'spin' to what I have written here now, I might actually turn it into a blog article, like: What I learned from having two different websites. Why I stay away from opinion on the web. What I learned from tech / science blogging.
But for now this posting here will just remain some open-ended collection, snippets of my stream of consciousness, and I am copying these lines to a new 'post' at this silent website here and deleting the draft for a blog post.