I have now been playing on the pentesting platform hackthebox for more than a year. I have been in IT security / infosec for a very long time, but I was very late to the offensive party. It still amazes me why that is. Some random thoughts!
I was not really aware of the exact terminology regarding blue and red teams etc. The Public Key Infrastructures I have built are maintained by the 'networking' or 'server' or 'Active Directory' teams, so I had always considered 'security' to be one aspect of the work the architects and network administrators have to do. Maybe I do not even count as 'infosec' - I am just the administrator of all things certificate-related.
I often sided rather with the people who had to maintain the 'security infrastructures' on a daily basis, rather than with consultants (internal or external ones) who tell those administrators how to secure the infrastructure. People keeping infrastructure a the bottom layers of the network afloat are hardly noticed - until something breaks. I had my share of WHO IS RESPONSIBLE THAT THIS WAS NOT WORKING FOR [a time span very very small compared to the time the system was running well despite lots of changes].
In the book Advanced Penetration Testing a seasoned expert states:
All that is needed for an attacker to gain entry to the most secure environments is for one person to have one lapse in judgment one time. I keep driving this point home because it really is the point. As a penetration tester, I have the easy job. An attacker is always at an advantage. I would hate to have the responsibility of keeping a network safe from attack; I'd never sleep.
I think as a security consultant - red or blue, consultant as opposed to sysadmin / 'devops' - it is hard to fully acknowledge all the conflicting requirements and constraints you have to meet when you need to keep things running. I suspect I also helped implementing dumb and insecure things at times, because they were the best trade-off at that time.
Often I found myself pondering on 'opposites', as red versus blue, consulting versus doing, projects versus operations. Should I lecture and comment rather and implement and do? Is commenting and consulting just fence-sitting without skin in the game? I finally decided for more involvement in keeping things running. Actually, I once became a consultant because I feel so terribly responsible for systems and infrastructures also as an external consultant (usually without a long-term formal contract) who is touching that infrastructure once every few months. But every time I was officially responsible for systems it was hardly bearable and moved me nearly over the edge into burnout - I better erect that 'external consulting barrier' to keep me somewhat detached.
I also don' t want to say that offensive roles are 'easier' - far from this! I do not have real-live experience with pentesting, but I imagine it as consulting on steroids: Travelling a lot, chaotic deadlines, all the non-glorious aspects of consulting in general, politics,... Exactly the aspects that made me abandon the nomadic consulting life-style, by the way.
Following infosec experts on Twitter I notice that there is an old debate popping up from time to time: Should 'infosec' be an entry level role, so should you e.g. go straight into security after college, or should you have an experience in other IT and software roles before - as a programmer, system architect, or network administrator? Given my own path I should be in the latter camp, I guess. But on the other hand, again given my own path, I can imagine that you can absolutely become a security expert with dedication and without having spent grueling years, say, fixing clients' my-Outlook-does-not-work issues.
I changed my careers a few times, but I can as well present these transitions as a gradual, logical evolution. I had been a newcomer often, and I people were asking me: How long have you been doing this? It was meant as a compliment, and I avoided to reply with the truth, like: a few months only. When clients considered me a 'PKI guru' I often said that I firmly believe that a student with enough dedication can become that exact type of guru in a year, too.
My blog was originally called Theory and Practice of Trying to Combine Just Anything. I had things like 'Physics and IT' in mind, or 'I had also considered to study philosophy and want to be some sort of renaissance person'. Maybe this is how I have approached security, too: I wanted / want to combine all kinds of experiences. It has been my choice, my path, not necessarily the expression of some career advice that would apply to anybody. Playing at hackthebox always shows me how much I do not know - about IT technologies and pentesting methods and tools. Only very rarely, I can contribute something original, based on something I really know something about - like in the case of my PKI / smartcard hack.
I feel very much that I am dilettante - in a positive sense of what the word actually means.
I have had a section called Philosophy on my very first website, and I have maintained a page called Principles or Our Approach ever since. It sounds as if those principles had been decreed at one point in time. As if aliens from outer space had dictated them.
However, I could simply say this: Since decades I play with technology, science, engineering, IT and everything in between. I worked in different industries. Each of them had good and bad aspects - regarding the actual subject matter and re the way of working. My main goal and hidden agenda was to every evolve but keep the good and interesting aspects of each of them. I could spin a story about how everything fits into a grand and big picture, and it is not even wrong.
But it's a good exercise to look at everything as disjointed pieces. At some point in your life that stories should speak for themselves. I am running my own business now for a long time; I don't have to explain and justify how everything fits together - as if it was part of a great plan.
In no particular order, and without aiming at completeness...
Like the Cobol mavericks at the turn the last millennium, I support legacy Windows Public Key Infrastructures. I have migrated them over and over and over. I don't pretend I know all the latest buzz words but it seems I can catch up quickly and connect the dots.
I am herding all the software tools related to sizing heat pump systems, related numerical simulations, and data analysis - the so-called Data Kraken. I could call myself a software developer - I use languages from VBA to C++, and I use pointers and recursion now and then. But I don't mind if somebody insists this on this being 'just scripting'.
I have been doing down-to-earth IT system administration for one small business - my second ever customer, loyal since more than two decades.
I get Ask-me-anything questions related to How Stuff Works and If That Stuff is Secure or If That Stuff Can Work at All. For some of that advice people even want to pay.
If you ask what real physics I actually use, I'd say Heat Conduction. Accidentally (?) it was one my specialties at the university, a long time ago.
I work mainly remote. It's more efficient, it's cheaper for clients, I don't have to travel, everybody is more focused. I don't do political projects (anymore).
I enjoy to find the pragmatic middle ground. I don't take as gospel: Software design patterns, methodologies, engineering standards, compliance guidelines, best practices, 'what everybody says', 'what everybody does just to be on the safe side'.
Taking stock of what I had done so far, I found that two things were part of all my endeavors: Teaching/training and software development. I have also been a student in parallel, most of the time. After I gave an academic lecture about PKI for a few years, I ditched formal teaching, and having completed another master's degree I also stopped collecting degrees and certificates.
Since a while I am catching up on computer science basics in self-study mode, and this year I have discovered the joys of pen-testing.
I did not have ambitions 2017. It should have been a year of taking stock - and it was, in a good way.
- I time-travelled and re-lived some history of software engineering, and finally learned basics of computer science. This was philosophical delight, but also useful and necessary: I was able to boost the performance of my simulations (above a level of what was, maybe, embarrassingly slow).
- I tinkered a lot with numerical simulations of our heat pump system. Main thing I learned: The more modern the building, the more you'd need to simulate humans' behavior, rather than physics or control logic.
- Reverse engineering and troubleshooting is what finally connects all the fields of science and engineering I love: Troubleshooting, ferreting out hidden causes and effects in hydraulics feel the same as sniffing and debugging software and networking protocols.
- Theoretical physics reading: I returned to classical thermodynamics and statistical mechanics; I find it fascinating and beautiful in its own right, even if only at the pre-1960s level. I took stock of my writing on heat transport - and I am happy I can actually really use physics on a daily basis, in down-to-earth engineering projects.
- I was thinking about automation, standardization, and big social media platforms. I struggled with this blog post about the future of small business for a long time, but optimism won. I might frame this even more positively today: There is a place for artisanal service delivery despite or because of Everything Being Offered As A Service by Omniscient Data Krakens.
- My blog turned 5 in spring, and I allowed myself to return to a more philosophical blogging style (briefly). Otherwise, I finally and subconsciously made the elkement.blog my main resources of technical content - or at least content related to my professional domain, and content edited for clarity and entertainment. Whereas on elkement.subversiv.at I let my stream of consciousness flow. It seems that the pattern that finally emerges is: elkement.blog = elkement's tech / science magazine and platform for personal research news, with an ever growing focus on fields I have training in and daily practical exposure to. elkement.subversiv.at gravitates against the same focus, but I allow myself to focus on my personal perspective only. So here you find 'what I am doing with [insert: heat pumps, security,...]', over there you find the useful content as such.
- Tomato harvest was great. I tried to grow late varieties - like Ox Heart - directly outside, and it worked.
- Dinosaur Kale tastes good. And it is able to recover from a at attack of a bug that targets kale (and radishes' seed capsules). Don't try to keep seeds of radishes in the land of canola.
This website is an old-school non-interactive site. My blog technically isn't, but looks like one now, for the lack of visible comments. However, messages have reached over covert 1:1 channels, so I do now that there is a small but sincerely interested group of readers. I thank you all for reading my stuff!
Once upon a time this category was intended to comprise what I had learned about philosophy. I had even aspired to study philosophy. Then came the dawn of the web and of unconventional philosophers of web culture.
I had also followed common wisdom, and my first FrontPage-generated business website had a section called Philosophy.
What's left of that, or what has been my conclusion?
I believe - in a pang of cheeky self-assurance - that I ought to have my own philosophy. Experience, business and otherwise, should be good for something. My philosophy does not focus on the grand questions of life. I might have had an argument with my former self, the idealistic student of science who aspired to change the world as a physicist, a profession I pictured as a cross-over of hands-on MacGyver theorist-philosopher-mathematician, ad-hoc-inventing smart tools whole mulling upon deep insights on universe and everything.
The unexciting truth is that my personal philosophy is explained best by summing up the different roles I have ever seen myself to take on, no matter what my job title was. None of them was about making profound changes to the world or being any sort of thought leader.
1) The Reverse Engineer
I have been told that I dismantled (tech) stuff already at a time I have no conscious memory of. I wanted to know how things worked, and I found a way to get there. Some of these activities morphed into a career later, the obvious one having been IT Security - the stereotype field for lone maverick nerdswho reverse engineer stuff. Even as a white hat hacker and so-called security consultant you have to indulge in the relentless black hacker's mindset - or you become a security bureaucrat, ticking off checklists and following rules. (Which dies not mean you should not know the rules).
But I could as well have turned into a tax advisor or lawyer, given my pleasure in finding out how such systems work.
I disagree with Keep To Your Core Skills, and I have often used 'wasted my precious time' by 'not delegating'. I hope or believe - delusionally - that 'actually' everybody has this pleasure of finding things out ((c) Richard Feynman). I am wary of marketing (tech) stuff to allegedly dumb or stressed out end-users who don't want to understand anything about underlying technology. Perhaps I am talking to less than 10% of people, but after all this is about my personal credo.
2) The Mediator
One of my first ever fantasies as a child that came close to something like a career was being kind of a negotiator or diplomat. I am not kidding: I dreamt about settling peace treaties between Mickey Mouse and his sinister opponents in his cartoon world.
This has impacted any of my jobs, but it finally surfaced expicitly when a client booked me 'for another mediation', which was in fact the follow-up of a very technical meeting.
I had considered yet another training or degree, in coaching, psychology, or the like. However, I am glad that I never left technology for good (see 1). There is a paradox: People want such 'tech project psychology' services. However, they will not buy it if labelled as such yet happily use them if they come as a hidden by-product of technical consulting.
3) The Communicator
Maybe principles 1) and 2) can only co-exist if you bridge them with a lot of talking. During most of my career 'teaching', 'training', or 'lecturing' had been part of my official duties or a side-project done in moon-lighting fachion. I stopped teaching when I became a moonlightung student again. I have also realized that I am not cut out for
over well managed, structured, quality-assured educational systems. I suck at keeping to my own agenda, and I beg for being carried away by hard off-script questions.
I was not the best class-room teacher, but I think I was good at informal, jam-session-style train-the-experts sessions.
Projects I remember most fondly were those where clients were not only interested in The Tech Guy Who Will Fix Everything but also in my pontifiating on fundamentals, even if that was not required to get the job done. But as I said above (1) - I believe it's always worth it.
4) The Organizer and Automator
When I was a child, I was not called upon to tidy up my room: Not only was I self-motivation to clean it - Mr.Monk-style - but I rather re-organized my cabinets quite frequently. It was Feng Shui of Decluttering meeting obsession with structure, and it has not changed to this day.
I have extended these principles to the virtual world as soon as I had 'data'. Writing a tool, script, program to automate something is second nature. Some sort of software development has always been part of my jobs - just as teaching was, but I found out only recently that I like data analysis and programming much more.
Proficiency with interpreting and manipulating data, and with using or fixing software is part of our culture and should be trained and valued just as other basic technologies and skills. And of course I believe that we, each of us, really needs them! But perhaps it is just my bad luck or my high standards... Every time I just to use and application or service as a normal end-user I end up with low-level troubleshooting.
I am aware of the picture of the obsessed nerd that I have painted here. I don't underestimate subtleties and human nature though. But nowadays soft skills are so often praised to the skies and people with 'big ideas', rather than nitpicking detailed persons, so as Subversive Element the contrarian stance comes natural to me. Even the most empathic coach who tells burnt out IT guys not ot overdo perferctiomism will be very happy if a neuro-surgeon or airplane engineer are totally obsessed with flawless technology.
I renamed my blog elkement.blog last November:
Theory and Practice of Trying to Combine Just Anything
The original tagline was
Physics versus engineering
off-the-wall geek humor versus existential questions
IT versus the real thing
corporate world's strangeness versus small business entrepreneur's microcosmos, knowledge worker's connectedness
versus striving for independence.
until it became
I mean it
and finally turned into
Research Notes on Energy, Software, Life, the Universe, and Everything
This means that my blog elkement.blog has found its purpose, and I am able to distinguish blogging better from publishing to this website elkement.subversiv.at. My actual research and 'science writing' is featured on my blog. Over there I am using wordpress.com features I have no desire for developing them myself for - and this website will remain my 100% home-grown self-developed pseudo-blog with a very limited feature set and no interactivity. The blog has LaTex support and allows me to present galleries of technical figures and diagrams.
These recent blog articles showcase what elkemental Force has been and is covering now (the end of a journey that started already two years ago - when heat pumps and thermodynamics replaced quantum physics):
My personal website, on the other hand, should be just this: A more self-indulgent site that provides status updates, meta-information and About-Me-style summaries. Because of that I will keep not sharing articles here to any social network.
And so yes: The hands-on engineering, physics, math and data analysis will be done over there on the blog. But there really are personal meta-thoughts on physics - so I don't have to change categories here.
(Theoretical) Physics and Me
Over the Christmas holidays I have been nearly offline from social media. I used the internet as I believe it was intended for me: To learn about something in depth and not necessarily sharing my insights or my 'progress'. I indulged in theoretical physics lectures just for the joys of it. I can rationalize: Yes, a bit of mathy gymnastics also serves me well when I deal with more mundane physics as a professional - such as toying with the heat transport equation.
But the real reason is unrelated to work: Theoretical physics and mathematical modelling of a small part of a complex world gives me the pleasure - and/or the illusion - of being able to understand and solve, well, something. Whenever I had been very stressed out in the past, close to burn-out, I got up even earlier - as 4:00 AM sometimes - to plow through Feynman's Physics Lectures or my favorite German volumes of theoretical physics by my late professor, W. Macke.
Not only did it help me to focus onto abstract details of a logical clear universe and to enter a more detached state of mind, but amazingly it also made me work more efficiently and focused later - on whatever technical challenge I had to solve. In those days, I was mainly concerned with Public Key Infrastructure, networking security, and applied cryptography.
With hindsight - and hopefully not too much hindsight bias - I feel that a rigorous training in a mathy subject boosts your results in any endeavor that needs an analytical approach. Perhaps only your physics training makes your realize that you need a more analytical approach at all, in addition to soft skills, practice, and familiarity with culture in certain industry sectors. I am thinking about project management, for example.
I believe that in any 'STEM' job, e.g. in IT, it is soothing to re-learn fundamentals often. One should know more than seems necessary about 'theory', before or in addition to knowing how to google, where to look up things, or whom of your tech buddies to call. Success in technical troubleshooting always gave me most contentment when I was doing it in my head mainly - like walking through a networking protocol the way it was designed, comparing that to messing reality, and uttering an educated guess about the root cause of an issue which was finally correct.
Whenever I had been blogging about a field of physics not related to my work - like quantum field theory - it was these mental connections I had in mind. I was trying to convey the joys of physics, but my main focus was different from most science writers' ones, so I think my writing was not engaging enough for the interested lay audience and sometimes oblique owing to too much references to math (whereas it was very basic for experts, of course).
My science writing is often a covert and feeble attempt to encourage others to tackle the real thing, that is the fundamentals and the math, and then to feel the same effects. I have seen that more books seem to have been released recently that try to bridge this gap between classical science writing (following the mantra of: Every formula will half readers) and text books.
I want to be part of that movement.
The most existing things, in no particular order:
Infrastructure updates - 'real'
- Turning the supporting construction of the first version of the solar collector into support for new wall heating loops - renovating the old kitchen: German article om the rebirth of the collector.
- Now we finally have what every green-minded home owner is expected to: A photovoltaic generator, plus smart metering infrastructure: Latest blog posting on data.
Infrastructure updates - 'virtual'
- We migrated three bank accounts, and I learned what I never wanted to know about different ways to setup debit orders. My favorite: an anonymous form on the vendor's website. Security = knowing your client account
- Our village has changed its zip code. I learned what I never wanted to know about how organizations store addresses. Goodie: Opening 'support tickets' turned interactions with big platforms into something human.
Work and Life
- One year ago we joked about it, now we do it: Planning heat pump systems the way we did IT projects - remote-only: Series of German blog posting on a project In The North
- Self-sufficiency, 'green life', and skin in the game: Harvesting 'salad' from the meadow for months: Blog posting on edible plants in the garden
(December 24, 2014. Updated: April 1st, 2015, not funny though.)
The outlook was vague and dubious.
You can take pride in the way you've already mastered.
Fortune favors the prepared mind.
Be creative with what is available.
Don't underestimate the power of the right companion.
Sorry, wrong image! I try again!
I am alone in the fog, but the victory is mine.
I'll pontificate about anything nonetheless.