January 01, 2021
If you are interested in contacting me professionally, please go via my linked in profile.
This is about my personal history with cyber security.
During the late 90s while in high school I got my first computer. A 300mhz Pentium system with Windows98SE installed. This was a top of the line system and the family even splashed for the upgraded processor from 266mhz. It wasn’t long until I had discovered IRC and different security communities like 2600 and Phrack.
I found myself joining groups of crackers who would deface websites for fun. The Internet was very much the wild west. The family Windows98 computer was now dual-booting with Redhat 5.2.
IP scanning, port scanning, telnet sessions and ssh connections were all common practice. IRC was still used, but within certain communities it was swapped out for IRCS (Secure IRC). Trojan viruses like Back Orifice, Netbus and Sub7 were commonly used. Weird IP scanning programmes written in French were the best of breed.
We were busy during the 90s. Free unlimited dialup Internet, accounts on University servers in foreign countries and cisco routers configured as proxy servers globally. The Windows98 partition had shrunk to support only a few applications and the RedHat option was now the default boot.
A couple of conversations with local law enforcement changed the hat from Black to Grey. Conversations with the lead detective indicated that I should pursue a career in Cyber Security.
While all of this was happening, I was given the opportunity to head to the local university while still 15 years old to take a programming class. I jumped at the opportunity and started my first class learning Visual Basic 6. I passed this with flying colours and was given an invitation to go to University at age 16. I could complete a Certificate in Computing that would give me entry to a Bachelors degree without needing to finish High School. I jumped at the chance.
My first year of University. I spent my days in class and my nights on IRC. Microsoft Frontpage was a blight on the Internet and we made the most of it. I had learned Visual Basic 6 and was working my way through HTML, SGML, XML, XHTML and a mix of other languages that would soon be dead. I had my first professional contract making a website for a local real estate agent for $150. Netscape Navigator was the browser of choice. Google was a thing but Alta Vista was still the search engine of choice.
I passed my certificate and was given the chance to enrol in the Bachelor programme.
I spent the first few months attending classes for my degree, but quickly found the limitation of subjects to be a struggle. Learning Informix Database and early Java was nothing short of painful. It wasn’t long before my classes were being used for recreational study and my interest in completing the degree had fallen off. I left after the first semester and enrolled in a Computer Hardware course where you got to build your own computer from scratch that you then owned. This was a great way to get an upgraded PC while learning how to become a computer technician. My PC was built running Windows 2000 dual booting with Slackware Linux.
This was a fun time. My friends were also dabbling with hacking and I remember carrying around CDs of exploits in our bags for fun. One of these CDs was presented to the lecturer of the computer hardware course who had proclaimed that if we gained root access to their server, we could keep it for the rest of the semester. Due to their Linux server running wu-ftpd this was an easy task.
I travelled 400kms to another city to meet a group of 2600 members. It was a great weekend away visiting offices, chatting to hackers and eating great food.
Time to move city and start a new degree. This one offered Oracle databases, Cisco networking and Delphi. This was a good range of languages and technologies I’d be happy to learn. A job with a small local IT firm working as a computer technician. I was responsible for spec’ing, buying, building and delivering desktops and servers. We delivered to local businesses and schools. As more work came through I found myself setting up email filters, web proxies, ssh remote access jumphosts and ISDN lines.
My days were split between attending classes and working as a computer technician. My evenings were spent on IRC and learning to program C++. Security was part of the job, but more emphasis was put on learning how to be a leet coder. I was learning C++, Delphi and Pascal.
During one class we had a student from another university attending. He was doing his PhD in Computer Science and his area of focus was Beowulf clusters… something I’d never heard about. We started to chat about how he was doing it and what problems they were encountering. Soon as the class ended, I went straight home to build my own cluster. A few hours of tinkering and I was able to successfully run code across two machines configured as a Beowulf cluster. The next day I headed to class to learn more about these and upon revealing that I had a working cluster at home I was given a proposition. If I would teach how from scratch how I built, configured and tested it, the university would supply me with some used computer parts to build some more systems for playing with. I happily agreed. The next few weeks we’d meet once a week and work through different aspects of the cluster and scheduling software. I got some pieces and was able to build another toy machine. I later found out at the end of the year he had landed a job working for a Telco building clusters around the world.
I continued to work as a Computer Technician, then Software Developer. I added C# to my skillset and moved from a small IT company to a Petroleum Payments firm. I was working on transaction handling, financial reconciliation and distributed systems messaging. I really didn’t focus much on security during this time.
I moved cities and worked for a District Health Board. I was given the job of looking after the more sensitive systems at the hospital (mental health, mortuary etc). Patient information and integrations with patient management systems required security, but this was still an immature practice.
I went into Scientific programming for fisheries science, programming for forecasting software and managing a team of developers for a real-time 3D engine.
My emphasis was on high performance computing in C++.
Time to work for a financial organisation where I was introduced to the concept of Payments Card Industry - Data Security Standard or PCI-DSS. A large compliance obligation for organisations accepting credit cards. We were SAQ-D and had ~650 requirements to satisfy. This was tied to $300m/yr in income for the organisation. We had no security architect, so my role of Solution Architect became defacto Security Architect for the organisation.
I started to focus on security heavily during this period. Inadvertently finding Critical issues in the security of infrastructure. “I’m pretty sure could leak every credit card we have on record”, “I doubt it, this is sandboxed”… “I wonder how you disable the sandbox… oh like that… oh look, the developers have already done it”. A quick email to our development partner asking “can you see this from that?” and a fast response “Yes”. Meetings with general managers immediately occurring, vendor fixes and the analysis of log files to ensure nothing had been leaked. We were all good, but there were slaps on the wrist given.
During this time I also lead the design and deployment of solution that used 2 Squid Proxies to deliver near real-time financial updates across a nationwide WAN to 280 Raspberry Pis. This information was then connected to local RF networks and displayed on banks of TVs. A modern interpretation of the old Teletext.
I’m back. Security and Privacy within DevOps and the Cloud and my primary areas of focus. My side hustle is doing C++ work on high performance software modelling platforms.
I work with Public Records Acts, Privacy Acts, Information Classifications, PCI-DSS, ISO27001, NZISM and more.
Who knows? I’m currently starting down the path of writing a book on Zero Trust security… but we’ll see how that turns out.