Written by Tim
My “Weird” Path to Infosec
This article was inspired in part by the growing number of people tweeting about thier infosec Journeys. As mine is a little long, I though I would blog about it, rather than tweet.
It is well established that I am reasonably old. Not massively old, just reasonably. Apparently, I am a member of a generation which is called the Xennials. I had an analogue childhood and now live in a digital time. When I was growing up, InfoSec wasn’t a thing. As a youngster, I really enjoyed (to my parents chargrin) dismantelling things, usually electronic things, to see how they worked. I would put them back together. Or at least try. To quote Dave Lister from Red Dwarf “It’s always the same with DIY, isn’t it. A few bits and bobs left over.”
In my teens, I had my first computer (A Commodore 64 C) which I shared with my brother. Shortly after, I got a Commodore 128D, and a couple of printers. This start helped me learn typing. I was also interested in programming, but at that stage, it looked a bit like magic. Still, I could write documents and manage files.
The next computer I got was an 8086 PC with a 10Mb harddrive. My Dad had brought this home, in part for me to play on, but also to do work on. My first real exposure to business software was on this PC in the form of Supercalc. Supercalc was, at the time, the killer app for the PC. It was a spreadsheet program. This was before Excel. The program ran on top of Dos. It was, compared to the programs of today, awful. For all its faults, this PC did teach me about managing the disk space. The PC may have even had the fabled 640K RAM, as made famous by Bill Gates.
During this time, I was messing around with an Electronics project lab. One of those old 200-in-1 things. I seemed to break every component of the thing. When I finally moved on to Uni, I had a notion that I wanted to join the RAF as an engineer. More specifically an Electronic Engineer. While at Uni, I struggled a bit with the Electronic Engineering Course. I ended up retaking the first year again. I did, however, enjoy the programming aspects - C and Assembly.
My “re-fresher” year was better. I had met a friend in the pub at the end of my fresher’s year, and he was repeating too. He lead me in to the Ents (or Events) crew, which I really enjoyed. We were a group of geeks enjoying playing with running a night club. We would wire up the nightclub for sound and lights. We would also dress the club as well, and best of all, it paid.
In my later stages of Uni, I also started working in the Uni’s computer shop. This gave me experience dealing with customers, as well as getting to play with hardware I wouldn’t normally be able to afford. It was quite surreal actually giving one of my lecturers tips on the best computer to buy. In my spare time, I’d taught myself Perl and started playing with Linux (Redhat, for the curious).
After Uni and a brief dabble in Student politics, I moved on to my first proper job - A Network Administrator and Systems Developer - for a small Trafford based company. It was fun, and enjoyable. The workplace was great, and my main co-worker was a great person. He was the first person who piqued my curiosity with Security. Cisco had just announced a DoS Issue for one of their routers. We had this router in our office. We tried it out. I remember thinking that it was both cool and how could this happen?
By this time, I was developing the systems in PHP and MySQL - Don’t judge me. In those days, everybody did it. I started to find a few issues in code that my boss had written. I found I could upload code and have it run on our web server. My boss fixed the issue. We also started playing around with SQL injection. At this point, I hadn’t heard of OWASP, and if they were around, they were in their infancy.
Time moved on, and after 4 years, so did I. I went to join an ISP as a VoIP systems developer. Working for this company was a different challenge. I was actually building a phone system. If you’ve seen FreePBX, it was a bit like that, except it would run multiple servers. The VoIP side of the ISP, like a great many things, didn’t quite pan out as expected, so the Voice company was merged in to the parent, I began the task of learning how an ISP worked.
At this time, I bought myself an APC Masterswitch. Partly because they are cool, partly because in my previous job they were a necessity. I’d also heard they were exploitable remotely, and in my previous job, we’d secured them from the internet. Shortly after my parcel arrived from Ebay, and I had configured it, my then Boss showed me the exploit, as he had been the one who found it. I was really interested in what he had done to uncover the issue. Security, at this time, was creaping more and more in to what I was doing. I started reading more and more news about security issues. All my designs for solutions were now being reviewed with security in mind.
When this company was sold off, I didn’t know if I would have a job. I put my CV out, and the current company I work for found me. Now armed with doing things the right and secure way, I helped the company become an ISP. I carried on reviewing all the updates out for the servers, as they were on the internet and prime targets by “hackers”. I carried on in this way, until Heartbleed hit the news. I gave the company the early warning for the issue. We were able to co-ordinate the response effectively.
A little bit later, I was asked to apply for a job in the security dept. I jumped at the chance, and so ended my wierd journey to infosec. The journey in to Infosec may be over, but my career within, is only just beginning.