Last Updated on Friday, 18 December 2009 04:50 Written by Administrator Monday, 16 November 2009 14:09

There's often times in our lives where we spend extended time reflecting on our choices and decisions.  I had the opportunity to do just that recently, and wanted to jot some of my thoughts down. What I concluded was: even if you take the road more traveled, you can still find appreciation in the work you've completed. And, most of all, the Information Security field may be the best field to make your own job and write your own rules.

What got my head churning was remembering a recruitment message, sent to me over IRC in the late 90s, to join a very well known security company that did exploit research. It was a solid job offer and everything checked out. However, here I was, 18 and just graduating high school. The company was in Atlanta, GA, 800 miles away. The pay seemed great for someone just out of school. At the time, I was a member of a number of scene groups, had dabbled in software cracking, bots, and malware. But, the fear of possible legal trouble really turned me off from the scene. And so, I turned it down. As I did with a number of other offers that came down the road.

I loved the security world, and shared the secret joy when SATAN (later SAINT) was released, along with the other toys of the trade. But, there was no InfoSec community during this time. Hackers were evil people that were pillaging the elderly. And I wanted to do good things. The concept of white-hats was unknown at this time. And, yet, at one point I visited at 2600 gathering in Philly and was pretty depressed by the people who considered themselves to be 31337 hackers. And there was the crux. Your career options in the field at that time were extremely limited at the time. You were red or blue. I wanted to do the work, but I didn't want to be a "hacker". I turned down the job offer and not long after retired from the scene. I hung it all up and started my life as a basic network admin.

However, I eventually found myself in a position teaching digital forensics to federal/military law enforcement. I guess it could be called fate. Mentally, I started from scratch, and tried to bring a n00b perspective to the field. That changed when I had the chance ability to work alongside Johnny Long. He instilled in me that I shouldn't be afraid of my background, and should exploit it for good.  At the time, we were teaching network intrusion responses, with a 100% focus on forensics. With help from other passionate instructors, we started integrating a bit of hacking into the course.  We showed buffer overflows on vulnerable Solaris machines.  We let the students telnet in and do it themselves, then look for the forensic traces of the actions. But, it wasn't enough.

Johnny had the great idea of developing a two-day hacking class for the 2006 DoD Cyber Crime Conference. We designed the curriculum to be fairly high-level, yet modular to experience. We broke the class up four groups based upon their experience level, then started showing them scans and exploits. The advanced group in the back literally fried a 3com hub, and everyone loved it. We brought back the class each year thereafter, and there was a continual waiting list of people wanting to attend.

After a few successful runs, and numerous positive feedback from the conference, we broached the idea of a full, official hacking course to be taught to military investigators... and we got the green light. Thus was born the Network Exploitation Techniques (NET) course, for which I was happy to help design and develop. Early this year Johnny went to follow his passion and become committed to his charity work. We all decided to retire the 'Hacking Stuff' class that had been an annual staple.

Ultimately, there was a hidden lesson in the whole mix. I've taught hundreds of security individuals from all walks of life and from many corporations and government entities. And as every year went by, I noticed a greater range in the job titles and descriptions being used. And I had the chance to sit and talk to people at conferences and meetings, I found a lot of people with the same story as myself. They wanted in, but didn't want the label of 'hacker'. Through sheer determination and logical thinking, they were able to create their own jobs.  Having been through that, there is no better feeling that your boss sitting you down and saying "We need an XYZ and you're it. Write up a job description for yourself and give it to me by COB Friday." 

I wonder sometimes where things may have changed had I taken a different road in life, and then I realized that it didn't matter. If you have a passion and drive for what you do, it will all come full-circle. You will eventually find yourself happy in your work and life. If you have a passion for security, you will subconsciously find yourself implementing security into your current work. The same trials you face today will happen in other life streams, just in different weather and locations. So, find what it is that you enjoy and just do it.  And while it's been 10 years since I've sat down with a dissassembler (except for a few, simple small projects for fun), I know that there will be another day ahead of me where I will take up my old passions and put them to use again.