Wednesday, July 16, 2014

Moving swiftly onward...

I love hacking stuff.

Not in the "I'm going to steal your credit card numbers!" way, but in the "I wonder how THAT works?" way. I do admit to a certain visceral thrill to being able to get to the place where I COULD do bad things, but once I get there, I am not interested in the actual stealing. Doing that kind of work for a living has been a dream for years. I have had that exact gig with two different companies over he last four and a half years. It's not been 100% of what I have done, but it was enough to be fun. This sort of cool gig comes with constraints though. More so in this last iteration than the one before. Previously I worked at a smart meter manufacturer. Part of my job was to figure out how someone could hack a meter or the system supporting it. It included some very cool work, and as long as I didn't expose any trade secrets, put a utility at risk, or worse yet put lives at risk, I was allowed to publish. Still, I was able to produce some cool findings and land some speaking gigs while I was there. I figured that moving to a firm that specialized in that kind of work would mean doing more of it. 

Not so much...

It turns out that doing research like that doesn't make all that much money. That means it doesn't come along very often and in order to keep the lights on, you have to do the "boring" stuff. It also, ironically, turns out I am pretty good at the boring stuff. Much to my surprise I actually like doing it. As a result, I wound up doing primarily compliance work. Some pen testing, but mostly compliance. Now, there are a lot of people who are better at hacking and pen testing than I am or will ever be, so when the cool stuff comes in, the people who can really rock it get to do it. That means I have not been able to do the cool stuff I enjoy all that much in the last two years. What cool stuff I have been able to do, either on my own or for my employer I have had to stay quiet about because the stuff I hack, when I break it, upsets companies who make the stuff. Companies that may otherwise want to do business with my employer. That other stuff is worth more money than my cool hacks, so it's not a good idea to piss them off by breaking their stuff gratuitously and then publishing it. That's just smart business. Companies don't exist so people like me can do cool stuff, they exist to make money. Thus was I able to do cool things that I simply couldn't brag about. I kept up doing what research I could afford on my own, but it's not as much fun when you can't show it off. 

With the realization that I enjoy building compliance programs I have decided to change employers and positions to one where I can focus all my career energy on building a compliance program for an organization that both wants and needs it. They want the work I am doing, and they like the way I do it. I like having a "normal" nine to five job where I rarely travel because I've spent the last ten years of my career being away from home more than half the time. 
I have missed the majority of my kids lives. Not cool. 
The new gig will have me working from home the majority of the time. Very cool.
All this equals a new job. The place I am leaving and the place I am going aren't terribly relevant to the point I want to make here. Suffice to say that the employer I am leaving is a well respected security consultancy and the one I am joining was a client of theirs.

So the Other cool thing is that I get to keep doing security research. I never actually stopped. The difference is that it won't be associated with my employer, I am just doing it for the sheer joy of hacking. If I offend a manufacturer by finding a flaw in their product, I don't have to worry that they will decide not to do business with me or my employer.

I can publish. Or not. 
I can rant. Or not. 
I can break stuff and show it off. Or not. 
I can speak at conferences. Or not. 
I can speak my mind. Or not.
No editing. No toning down. no more people with no experience in my topic trying to get a word in.

The only rules are "Don't be a d*ck." and "Don't violate existing NDAs"

My current research projects include practical cryptography in IoT, embedded, and PCI, some oddball RF stuff with satellites, the usual social engineering + wifi stuff, and anything I can make an SDR do.

Stay tuned...