Flying is just falling and missing, the series!
Howdy and welcome back!
Hey there, internet friend! Thanks for coming back to my blog. This week we all got some bad news, in that peerlyst.com will be shutting down next month. When I got involved in offensive security one of the first things I started doing within six months was blogging, and Peerlyst.com was the place that gave me a platform and frequently featured my writing. Like others, I am sad that they will be shutting down! However, I wanted to be proactive and grab some of my writings so they don’t disappear and share them here. While I am hopeful that the internet archive can swoop in and save the stuff on Peerlyst, I wanted to mirror some of the things I wrote that I am most proud of here. For the most part, I am going to share these things without edits, as they originally appeared. This first post is a collection of three posts I wrote in a series called, “Flying is just falling and missing” and the first three sections will appear as they were originally written. Since I wrote the first one over two years ago and the last one was in November of 2018, I wrote a fourth section this morning updating our journey since so much has changed in the year and a half since that post was written. Frankly, our entire world has changed in the last six months so it seemed prudent to provide a final installment of this series.
So without further adieu, I present the first three chapters of the series, “Flying is just falling and missing” from Peerlyst, with the day published and views at the time I pulled them, as well as a final chapter that brings you up to the present. I hope you enjoy, have a great day, and an awesome weekend!
Also, if any lawyer-types from Peerlyst want to sue me for stealing and sharing my own content, just shoot me a DM on Twitter and I will take this post down. I am not saying I think Peerlyst will do this, they have always seemed cool. Mostly I just want to make sure this content that I wrote to he available freely on the internet remains available and I don’t remember signing a copyright notice or giving up the rights to the stuff I published on their platform. If it turns out that was buried in a TOC just ask me to take this down and I will. I don’t want to get sued I just want to share the stuff I wrote!
Flying is just falling and missing
Originally published 6/12/2018, 738 views
Fellow fans of The Hitchhikers Guide to the Galaxy will immediately recognize the subject of this post, but for the un-initiated, let’s get you up to speed after a little back story. Nearly every Sunday I venture into Spokane to hang out with a friend I met at my local 2600 club. Our activities range from bug bounty hunting to breaking VulnHub images, to attacking boxes on hackthebox.eu (HTB). When I told the story I’m about to tell, I started by talking about Arthur Dent discovering flying.
In the ultimate edition of the Hitchhikers Guide, we first learn that there is a school dedicated to teaching students to fly. But when one of the main human characters discovers how, it is by accident. According to the story, flying is just falling but getting distracted at the very last second and instead of hitting the ground, you miss. It’s falling and missing the ground over and over. But the thing about flying is that you have to first either jump or be falling.
Next week my wife and I are taking off for San Diego, which is our jump. She has a phone interview tomorrow with an unnamed company in the area, but I have been unable to find my next infosec job thus far. I have mostly been focusing on penetration testing positions, as that is where I have the most experience, however, I applied to a job working in a SOC yesterday and I will probably apply for more going forward. Having experience on a blue team can serve to make a member of the red team a better attacker. I know that in my first infosec job my best friend worked on the blue team. We would go on breaks together and I would learn all sorts of things that may one day come out in a POC or paper he writes, but until then I won’t divulge any of his secrets. Other times, when I was attacking a target that was managed by our SOC, I would ask him to look at the logs to see where or if I was being blocked by any firewalls. It would be very interesting to see that the firewall said I was being blocked and/or banned, but I still saw results from scans. The people who spend time defending networks have unique insight into ways that attackers could go undetected or at least be more sneaky.
You may be thinking to yourself, “it’s pretty bold to go over a thousand miles with no assurances” and you might be right. However, both my wife and I have done things to raise our profiles to the companies we are applying to, and fate favors the bold! I’ve written articles here about having liberal arts degrees and transitioning to work in infosec, and my wife has done targeted social media campaigns to gain the attention of beauty companies she was applying to, in an industry she has over a decade experience and applied to close to a hundred jobs to get her Skype interview. We are willing to make bold moves to stand out from other applicants. We speculate that perhaps part of our problem has been that we are not living in the area that we are applying, as most of the jobs we’ve applied to have been outside the Spokane area. Applying to jobs in California with a Spokane area code on my resume has been a problem, along with my non-traditional background.
Our family motto is “never give up” and I don’t want to. However, I have a family to consider and while I want to find another infosec job, I’m getting to the point where I will almost take anything, even outside the tech field. When I was 18, I was certified as a typist at 90 words per minute – the second fastest that the guy who administered the test had ever seen, and that person typed 92 WPM. Between that, five years plus IT experience, a graduate and a few BA degrees, I should be able to find my next opportunity.
Which brings us back to the subject of this essay. In some ways I feel like this is either falling or jumping without a net, but the reality of flying is that those are the only two ways to do it. Some of the biggest and best experiences of my life have come from not having all the answers but just going for it anyway. This will be a fantastic adventure, and I am thrilled that I get to undertake it with the love of my life.
Finally, I will be in southern California next week and would love to interview for an infosec role at your company. You can find a link to my LinkedIn profile here on my Peerlyst page, or my Twitter DMs are open, and I tweet @whatever_sauce.
Thanks for reading!
Flying is just falling and missing part 2
Originally published 7/11/2018, 406 views
Howdy! A few weeks ago I wrote an essay called “flying is just falling and missing” and as my wife and I were driving down to California from eastern Washington I kept thinking about writing a follow-up. A few (fairly major) things have changed and I thought it might make for an interesting story. So strap yourself in and away we go!
When I last wrote, I thought that we were on our way to San Diego. However, it turns out that we were actually on our way to Orange County. My wife is one of the most awesome people I know and she crushed her interviews. As we were driving back to Cheney the next day, she got an offer for one of her dream jobs, and she accepted. So we drove back to Cheney and spent the next week frantically trying to pack up all our stuff and moving out of our place. We rented a U-haul and filled it up twice in one day. One load we took to the dump, the other to Goodwill, then drove the five and a half hours across the state to stay with my Dad for an evening before heading California.
We left on Saturday, June 30th and began driving south. It took around three days to finally reach Orange County and we stayed in an Air B&B for three nights until we found a month-to-month lease on an apartment in Tustin. We spent the weekend buying a bed (and a temporary air mattress until the bed can be delivered) and restocking the kitchen with plates and tools, since we did not have enough room in our cars to bring them here.
Since arriving in Orange County, I’ve been on a job-finding blitz. I’ve been to the local staffing resources, had a phone interview with a technical recruiting firm, and reached out to a few other contacts. I’ve also started applying for many more jobs outside just penetration testing roles. I’m on pace to apply to thirty jobs per week, and will continue to do so until I can find my next opportunity. Since my most recent background is in offensive security, I’ve been looking for jobs in that field. However, I’ve started expanding my search to include junior systems administrator jobs, as I have been using Linux for a decade in my personal life and I’ve read that spending time administering systems is high on the list of ways to improve information security skills.
I will freely admit to you that this is a scary time right now. While I consider myself to be pro-feminist, I am deeply uncomfortable with not having any income while my wife works full time. I want to be able to contribute to our family finances and also move us out of this one bedroom apartment to a house so we can also bring our son down to live with us. All of this needs to happen before school starts next month.
So I will also freely admit that I am feeling very stressed. I called the last post flying is just falling and missing, and I feel that there have been a few times where we have just narrowly missed the ground. Once again it feels like I am starting to get close, and it is a feeling I really don’t like.
One final note. If you are reading this and thinking to yourself, “I was with him up until the end, but exposing his fears and anxiety isn’t that cool. He should just be strong and keep quiet about it.” Then I just want to say this. My wife recommended I watch the new Queer Eye and something Karamo Brown said really stuck with me, and I’m paraphrasing here because I don’t remember that exact quote. He said being vulnerable doesn’t make you weak, it actually makes you strong. Because all of us are vulnerable in some way or another, and just denying it is a little unhealthy. Also, if you’ve never seen the new Queer Eye, just watch the first episode of season 1 on Netflix and if you aren’t hooked, it’s less than an hour of your time. If you do get hooked, you can thank me later.
So thanks for reading this post. If you have any opportunities in Orange County, California or remote, please don’t hesitate to reach out to me here or on Twitter, where I tweet @whatever_sauce and my DMs are open. I would love to talk to you about an opportunity as a junior systems administrator, SOC analyst, or penetration tester at your firm.
Flying is just falling and missing part 3 - the final chapter
Originally published 11/13/2018, 660 views
It has been a few months since my last post in the Flying is just falling and missing series, and I wanted to follow up as I have finally managed to get some traction. After applying for close to one hundred jobs, I landed a position as a security analyst helping a firm provide additional offensive security services. I’ve been meaning to write this post for quite some time, I’ve just been really busy getting situated in my new job and moved into a new place. In fact, I’m pretty confident this has been sitting as a draft for at least a month while I got too busy focused on this or that project. I would love to say that I did something special in order to land the job, that it was networking or blogging that helped me land this position. However, the reality is not quite so exciting.
I had been in California for a few weeks and only managed a few interviews. One went really poorly, the other went better but they decided to offer the position to someone else. That ended up being a blessing because it was very far away from where we ended up living. I went to a temporary staffing agency and had a meeting with one of their recruiters. I had taken a typing test where I managed over 100 words per minute and was just trying to find temp work doing data entry while I looked for an infosec role. This recruiter instead sent out my resume to the firm that ended up hiring me at the perfect time. This firm is a MSP that was looking to start offering penetration testing. After a few interviews I was offered a position as a level two security analyst.
So far I have really enjoyed working for this company. I am learning lots of useful things about building computers, systems administration, and powershell. I ran Windows for the first few months but for reasons I’d rather not go in to I am running something else. It’s been awesome learning more about the internals of how systems work in business environments and I would say I am getting better every day, which is always my goal.
It turns out that the title of this blog series really ended up being true. When my wife and I moved to California only one of us had a job. We didn’t even have hotels reserved before leaving - we just loaded all our stuff into our two cars and took off. Like Arthur Dent in the Hitchhikers Guide to the Galaxy we were flying, in so far as we kept falling and missing the ground. There were a few close calls and some very lean times, but all of our hard work is paying off.
If you are reading this and thinking about taking a risk, I would encourage you to give it a try. Sometimes things don’t work out. I wrote recently for my friend InfoSecJon about all the failures I’ve had in my life - and there have been many. However, all of them ultimately led me to where I am today. So don’t be afraid to fail. If flying really is just falling and missing, and you want to fly, you are also going to have to jump.
Flying is just falling and missing part 4 - two years later
Originally published 7/31/2020, and I don’t track views here
Turns out I’ve been starting articles with howdy for the last two years - who knew? As a quick aside, if you’ve ever wondered why I use words like, “howdy” and, “y’all” when I am from Washington state, it’s because my Dad is from Texas and y’all doubles as a fantastic gender non-specific way to refer to groups! My point in writing this follow up isn’t to talk about why I use these phrases, though I hope that at least one person who reads this will go, “oh! That’s why he always writes like that!” Instead, I want to follow up with how the theme of this post, that flying is just falling and missing.
I worked for the MSP I mentioned for almost a year before I was poached by a company with an offer that sounded too good to be true.1 I was going to be able to work from home, there would be a training budget, and they wouldn’t max out my utilization (for those who aren’t consultants or are unfamiliar with the term, utilization is the percentage of a consultants working hours each week that we are billing clients) instead they promised to never have me at 100% util, and I would be assigned a mentor. Turns out that I was assigned the mentor who was too busy to provide guidance, and while I got some great tips from my coworkers and learned heaps from them, and I managed to get some basic cloud training, when I asked my boss not to insult me I was fired. This lead to a frantic scramble to find a new job, but I ultimately landed at a place that actually provided almost everything I was promised by the firm that gave me my next opportunity after the MSP.
Just as a practical example, I’ve been intensively studying cloud security for the last two weeks and I will have more time to focus and study before taking the AWS Security exam, and my employer is going to reimburse me for the cost of the exam and prep. I’ve also had the opportuntiy to work on mobile assessments, web application penetration tests, and API assessment, VPN and segmentation testing, a six month project management engagement, and there are plans to teach my threat modeling in the next month as well.
All of these opportunities would never have happened if we hadn’t made the leap and moved to California when only my wife had a job. Looking back, this was a really risky thing to do, and it feels like the title of this series has really been appropriate. My employer does not have an office in Spokane, and even if they did my wife did not like the area - it was too cold for her. Since moving to the desert she says that her pain is lower, which is really important for me. As I’ve mentioned time and again, my most important job in life is to be a husband and as hard as I work on my career, it pales in comparison to how hard I work to make my wife love me even more than she did the day before. Everything I do in life, from my career to improving my guitar and bass skills is ultimately for her. Even though we are married I never want to act like I already have her. In my mind I like to imagine we are dating and she is still on the fence about whether or not she is going to love me or kick me to the curb. So if I work really hard to make sure I take her on dates (even during the pandemic), and that I give her the things she wants, and try to find new ways to make her happy, that I will get her to love me. I know that she already does, but I never want to take her love for granted.
Now I am going to change the subject from love to something equally as serious. I know things are scary in the United States right now. Between the pandemic raging out of control and the absolute lack of any leadership in Washington D.C. willing to SERIOUSLY address our myriad problems, it is really easy (and probaly the sensible thing) to be scared. However, there are also a number of HUGE opportunities available to people that look closely and are very bold. What I am going to write next isn’t new, groundbreaking, or particularly shocking - I’ve seen it written and said by others so I don’t think what’ll come next is going to rock you to your core. However, some people are going to get rich over the coming months and years, and they aren’t going to be people doing “business as usual.” Things are going to be moving more online and away from in-person for the next year at a minimum, so it’s important to give serious thought to using the time we have stuck at home to learn some new skills. Like cooking great food, it isn’t enough to just do it, you have to also share it on the internet so other people can know you did it! Whether that be writing about it in a long form, whether you put it on a platform or create your own blog, just write about what you are doing! Everyone has a unique perspective, and even if you are writing a basic tutorial like, “quick and dirty nmap tips and tricks” you might be providing tremendous value to your readers! One of my most popular posts on Peerlyst was just five nmap tips and tricks that I’d picked up, and it had something like two thousand views. If you are thinking to yourself, “I shouldn’t write this tutorial or write up because surely someone else has already done it”, I’ve got two things to say to that. First, don’t let that stop you! YOU haven’t written it yet, so there isn’t an essay from your perspective out there, at least not until you write it! While it may be the case that others have written on the subject, it hasn’t come from your perspective or with your spin on it. You might explain it in a way that helps it finally click. Maybe someone has read four other essays on nmap but it is the thing YOU wrote that finally clicks? Second, don’t call me surely!
If you are at this point in the really long essay and don’t believe it is possible to make a huge change in your life, consider this. I wrote the first essay you read from a two bedroom duplex in Cheney, WA. I am writing this essay from the house my wife and I bought and closed on two years to the day from when we arrived in California, where only one of us had a job. Granted I had five years industry experience, two BA degrees as well as a MA, but they are in liberal arts and I had to find and convince an employer to give me an opportunity. Ultimately it was a temp agency that helped me find that opportunity. Which is to say that flying really is possible, but you have to jump first! I know I have a tremendous amount of privilege, but I want you to know that it is possible to do what I’ve done, because I did it. If you want to achieve your dreams too, I suggest the Napoleon Hill method.2
Back in 1937 a man named Napoleon Hill released a book he spent two decades researching, and he called it Think and Grow Rich. I’ve not finished it yet, and hence not done a full review, but what I will tell you is that he interviews the dudes who ran and created some of the biggest businesses in the history of the United States and regardless of what you think of them personally, you cannot deny that people like Henry Ford, Thomas Edison, J.P. Morgan, and Andrew Carnegie changed the world. Whether they changed it for the better or the worst is not the point, if you are interested in learning about HOW they changed the world, Napoleon Hill interviews each of them and shares their wisdom in his book. One of the things that he suggests in the book is to spend time thinking about what you want to achieve in life. Specifically, think about what job title you want, and the level of salary you want to be paid from this job title. Then write them down and put it in a place you can see them every day, like the bathroom mirror where you brush you teeth. As you are brushing your teeth, imagine you already have the job you want and are getting paid what you want to be paid. Think about how it will feel, and what your day will be like. Say aloud what it is you will do, and how much you’ll make. I went a step further and wrote, “Winners never quit, and quitters never win” and put it in a place that makes it the first thing I see every morning. My wife, the awesome and amazing artist, took the words and made a more pretty and aestetically-pleasing version, and it remains the first thing I see when I wake up. This corresponds with our family motto that was mentioned in one of the earlier essays, “never give up”!
One final note before I start to end this already really long post. Next week is DefCON28 in safe mode and I am really looking forward to this virtual con and hanging out with my friend Acetolyne. I think it is really interesting to note that he is the friend I mentioned in the very first essay, and we are even better friends today than we were back then. I always had a feeling that he and I would remain good friends I am really happy to report that our friendship is still going strong!
Now I really am going to end this really, REALLY long post, and I want to do it on a most positive note. While things look bleak in this country, remember that there is tremendous opportunity right now. Jeff Bezos is getting richer by the minute - Amazon is making a fortune, and companies are starting to get more serious about moving to the cloud. There are fantastic opportunities for people to figure out how to get things delivered to people at home, and despite economic turmoil there are going to be people who make money in the next year. You can be one of them. It is also perfectly acceptable to stay at home, binge Netflix, and just survive the pandemic. It is just as important that we all stay safe as it is to keep grinding! However, if you are looking for something to do, many of us have the benefit of time. Even if you decide to try something and fail terrifically, you can still write about it and perhaps it might spawn a different opportunity. Or you try something and totally hate it, you should still go for it and write about it! Each of us have a unique perspective, and unfortunately the only way to find out if you can fly is to leap!
- Spoiler alert about things that sound too good to be true. They often are! [return]
- I mentioned that I am not doing a full review, but I want to mention here that the Napoleon Hill book is not perfect. Some things haven’t aged well since being published in the late 1930s, and these things are going to come out when the more thorough review does. [return]