Wednesday, April 2, 2025

The Executive

 I wanted to explain a little more about how a good executive works.

First - almost anybody who has managed other people has into the problem where they don't do the work as you expect. One reaction is to just do it yourself - micromanaging - but that runs into a problem.

Namely, that you if you are given more and more responsibility, you eventually reach the point where one person can't do it all. There are so many hours in a day, so much work you can do before you are overwhelmed (and maybe even burnt out).

Alternatively, you can focus on just the ones who somehow manage to perform as you expect. Perhaps finding the 'whales' - but that also has its problems. It basically puts the burden on those who already know what to do, and ignores the underperformers. Then the people you rely on may get overwhelmed and burnt out whereas the rest are able to coast by. (The people focusing on the 'whales' then compete for those already able to do the job, rather than developing more people and getting them to the point where they are also able to perform.)

There's an additional problem here. Because as anybody who has ever been a subordinate knows, they are keenly aware of what the boss wants... and will strive to look good in their eyes. Simply telling them to do a task and then measuring performance on how well they achieve it means that you may ignore how they achieve it. It pressures them, sometimes to do things that are illegal... or even just browbeating their own subordinates, which eventually will drive them off. (Seriously, unless you take major steps to indicate you want to know the truth, and then prove it - repeatedly - by how you react to bad news, and also make sure you've got good feedback mechanisms, it is too easy to get blindsided by things you just don't know).

Delegation is not just a fire and forget kind of task. You have to have a good understanding of who you're delegating to, and what they're capabilities are. Maybe they're experienced and just need a general order, maybe they're new to the job and need a bit more involvement. Knowing which is part of your job.

And part of that job involves setting them up for success. Do they know the task? Do they know the standard expected? Do they have the resources they need? The funding, the personnel, the equipment?

If you can't clearly show you've given them those things, then you've set them up for failure... and it's not that they're a bad subordinate, or lazy, or whatever excuse you have for thinking any failure is theirs and not yours. (In my experience, it's poor leadership rather than poor employees that are the problem, and if you give them the tools to succeed they will.)

For complex projects, it's helpful to identify all the tasks that need to be accomplished to reach the end goal. That's where project managers come into play, and the tasks and timelines marked in some sort of project management tool, but I can illustrate this point with something much more familiar - Thanksgiving dinner.

If you want to have Thanksgiving dinner at 4pm on Thanksgiving Day, you have to figure out the timeline of all the events leading up to it.

The turkey has to be thawing about three days out (depending on the size of the turkey). The potatoes need to be peeled and ready to cook around an hour out. You have some leeway, depending on how many potatoes there are, but they can also sit in the hot water for a little while so an hour gives you plenty of time for them to cook - and then just before dinner you can mash them and add whatever fixings you want.

Same for casseroles, and pies, and stuffing, and any food to nibble on. (If we're having spinach dip or cheese dip we may prep them the day before, and then they're ready to eat all day long).

You have to assign the tasks to whoever you want. Is someone responsible for a particular casserole? Are they going to bring it already cooked? Or ready to cook? How long will it take? Is there enough space in the oven for it, along with all the other things? If using the stove top, are there enough burners? Can something be cooked earlier to ensure all of it gets done on time?

Most mothers somehow manage to track all of this in their heads, but if they were to put it in a project management tool you would soon get a list of all the tasks and which have to be done by which point in time... and you'd better make sure someone buys the ingredients ahead of time, because trying to find eggs or green beans, or sweet potatoes on Thanksgiving Day can be a bit difficult.

If someone new in the family is hosting Thanksgiving, it generally doesn't hurt to ask if they've got the turkey thawing a few days prior. It's generally easy enough to do during some sort of call to coordinate plans, and if it's not necessary then no harm done - but if they've forgotten or inexperienced enough not to know, then you've saved everyone the stress of worrying how you'll cook thanksgiving dinner with a frozen turkey.

All of this, btw, is a lot of work. Maybe you don't have to do each and every task yourself, but making sure everything happens on time and bringing it all together so that the meal is ready when you've told everyone it will be is no small feat.

To bring this back to business - management is more than just tracking KPI's and reporting on the results. It requires really knowing. Know your people, know what they're doing, know that you've given them the tools to succeed. That you're aware of any blockers and have time to resolve them before the tasks need to be done. 

That entire skillset seems more rare then I expected. You can see that in companies like Boeing, where their CEO said they have "made serious missteps in recent years."

You see that in executives who seem to think they can manage by fiat. Just tell people to do something, but whether or not they follow through depends on how skilled they are at all the things I listed above. The executive isn't doing it, instead they just yell at them if they fail and praise them if they succeed - but they're not really involved enough to know if the tasks are being done to standard, or even legally.

Governing by fiat is, in some ways, the same problem I pointed out with regards to programming. It's abstracting away all the messy bits, simplifying it... and ultimately obfuscates problems and only succeeds if the someone lower down does what's necessary. Sometimes without any acknowledgement or understanding by the people who delegated it to them.

Anyways, in American Congress (as the legislative branch) is supposed to decide the what and the president (as the executive branch) is supposed to decide the how.

There has been immense pressure over decades to make the president the point person, and hold them responsible for both the how and the what, but that's not really what the Constitution says.

And governing by fiat both takes the 'what' from Congress and is incomplete without a plan for 'how'.



Friday, March 28, 2025

Can Common Sense Rust?

 There is a widespread belief that a peacetime military begins to... decay.

I can't seem to find the exact phrase (too many false positives to my search), but I believe it was something about a military needing a war to shake off the rust, or trim the fat, or whatever aphorism you choose to use to indicate that a military force becomes less capable of fighting as intended.

I don't normally dwell on this, because even though it's true it doesn't really leave a lot of options.

The thought of starting a war just to trim the fat is abhorrent. 

Even if you were callous enough to consider it, wars are risky things. Unless you follow Sun Tzu's advice and know the enemy and know yourself, it is entirely possible that the war will not go how you expect.

Sometimes a 'short, victorious war' is neither short nor victorious.

This 'rot', such as it is, seems to seep into more than just military forces. In the United States, veterans make up about 6% of the adult population.

6%

That is, 6 out of every 100 adult Americans has ever served in the armed forces. That includes some of the really old veterans (Vietnam, the few surviving WWII vets...) from back when military service was more common than it is today.

The divide between veterans and the average civilian also has an effect - some say rot - but again, the solutions are not easy.

Mandatory service? South Korea and Israel may be able to do so, but if we truly put every young American man (and perhaps women) in uniform we would seriously have to expand our boot camps and living spaces and all the rest. After all, that'd be some 30M+ people, and our armed forces are only around 3M. You're talking ten times the current forces, and they would all need to be fed and housed and trained.

And so we have a large civilian population that really doesn't understand what it means to serve. More than that, they also don't have the critical skills and experiences veterans learn - but I'll circle back to that.

Something I, and many of those I served with, took a strange sort of pride in. It's kind of a sign of success, after all... that people can waste their time worrying about stupid stuff.

(Yes, my scale of 'things to stress out about' is a bit distorted now.)

Anyways, I look at the nonsense Trump represents, and the people described in that book about Facebook, and the things I've commented on before - about how various political figures clearly didn't feel any social condemnation for some of the foolish things they are doing, and it begins to feel like that Hindu concept of the Kali Yuga might be true. A time of darkness and despair among humanity and across the entire Earth, when chaos, confusion, and hypocrisy reigns?

Sounds familiar.

But that concept just seems to feed cynicism and helplessness, so let's move on.

The core problem... well, I think there's a variety of factors involved. 

Some of it is the sheer difficulty of teaching good judgement, but there's more to it than that.

There are all sorts of lessons I learned in the army. Often condensed into pithy aphorisms and metaphors, cheesy parables and short stories that capture our collective wisdom and experience.

And many of them seem to be at odds with the lessons our civilian leaders have learned.

For example - consider an enemy ambush on a convoy driving along a road. 

First, I want to discuss some of the worst things that could happen, because they have a strong effect on why the military does the things they do.

In a situation like this, your forces are sitting in what we call 'the kill zone'. The enemy has set up all their forces to target yours in that kill zone, and they are firing on you at that moment.

The absolute worst thing you can do is nothing. By doing nothing, it's only a matter of time until the people shooting at you succeed, and you're dead.

That's why one military saying is that it's 'better to make a bad decision then no decision.'

Quite a lot of the military is geared towards helping you react quickly and correctly - which is also why we do so many drills and spend so much time training. If you train enough, then you will react and get out of the kill zone quickly. Often before you've even had time to panic or think about the dangers... your brain might freeze under the shock, but your training kicks in and you're already doing what you should.

The other thing you really don't want is for your people to start arguing over what course of action to take.

You are being shot at. This is not the time to argue that everyone should do X instead of Y. 

Not without a compelling reason. And by compelling, I mean 'people will die.'

This is also why the military cares about things like 'good order and discipline'.

But... it's not like in the movies. It's not like soldiers turn off their brains and blindly follows orders.

It's more like - they understand that there are good reasons to maintain discipline, and you'd better have a damn good reason if you're going to disobey (and even if you do have such a reason you still might be disciplined, but if you think your reason is good enough then on your own conscience be it.)

I knew a warrant officer, back when I was in Iraq, who had served in Vietnam. He told me a story once - about an ambush, perhaps like the one I described above. Except the officer wasn't responding correctly, so he pushed the officer aside and got them out of the ambush.

He said he got disciplined, I think demoted a rank. But he also was privately told that he'd done the right thing.

Which makes perfect sense, because it discourages soldiers from deciding they know better and causing confusion under fire, while at the same time not truly punishing the solder. After all, he did eventually become a warrant officer.

There is a LOT more than that, but I don't want to digress too much. 

The point is that when you're at the tip of the spear, the logic and calculations are different. You also learn a lot more about how people act and react under stress.

In civilian life - your boss may say or do something stupid, but you're afraid of losing your job so you generally just grin and bear it. And then maybe go home and vent to your spouse, or call up a friend or something.

In the military, when you're six months into a deployment and only halfway done... where alcohol is forbidden and you're spending your entire day around the same people, and there's smoke coming up from the latest IED or you're hearing mortar rounds daily...

People act different. (And I'm not even going into the experiences of those directly in a firefight. Go talk to someone in the infantry, or even a truck driver regularly out on military convoys). Stress can build up, because there's no casual weekend where you can unwind. People grate on each other with no release valve. Interpersonal issues can blow up to disastrous levels.

To lead people into battle, into situations where they know they might die - you have to have trust. They have to believe you know what you're doing. Or at least, know well enough that you won't get them stupidly killed. (And if you don't... well. There's plenty of stories of fragging. When shots are being fired and death is a real possibility, who's going to know if your own soldiers had a little something to do with it? Better not be too incompetent, because your life is also on the line.)

All of this seems to go against the lessons civilian leaders learn. At least, the ones I see leading our current world.

It feels like they all read that book on the 48 laws of power, except those 'laws' are more about a courtier's life than a general's. 

And perhaps that's the real distinguisher. 

Even in the army, it's known that things change the closer you get to the flagpole. i.e. headquarters for higher ranking individuals. That's where egos and jockeying for power start interfering with the calculus of 'accomplish the mission while keeping your people alive.'

The higher up the flagpole you go, the worse it can get.

Still, every single one of them has an understanding of how to execute a large and complex operation. 

Like when we deployed into Iraq - I was part of the Reception, Staging, Onward Movement, and Integration (RSOI) process in Kuwait to prepare our forces for deploying our division.

Moving such a large military force requires a LOT of coordination. To prepare the equipment for shipping, to coordinate for the ships, to coordinate for the planes bringing everyone in, to coordinate for transportation from the airport to their temporary living quarters. To prepare for any additional training required. To make sure you had people prepared to unload the equipment off the ships when they arrived, return them to a working condition, and get them back to your area...

The list goes on and on. It's a large, complex operation with a lot of moving parts, and there's a lot of experience you gain when you're part of something like that. Heck, even the experience with smaller tasks (like running a weapons qualification range) teach you plenty.

Such as understanding the difference between a plan as it appears on paper, and a plan as you actually try to execute it. 

Really feeling in your bones how Murphy will fuck with you any chance he gets, and why you should keep things as simple as possible. (In case you miss the reference, Murphy refers to Murphy's law and any overly complicated plan has more things that can go wrong, and therefore more points of failure for Murphy to mess with.)

How last minute changes can screw things up even worse, if you don't communicate them effectively.

The importance of a clear chain of command, clear direction, and clear lines of responsibility. Also clearly communicating the mission and the plan.

These all seem like things civilian society has just plain forgotten. Even the CEOs don't really seem to understand it any more, or maybe it's just the tech bros? Move fast and break things is fine when breaking things just means some people have to step away from the computer for a bit while the techies frantically try to fix it. It's very much less acceptable when it means half-assing your deployment into a combat zone.

I have especially been thinking about this because of some of the things Trump has been saying about Canada and Greenland.

I have absolutely no idea why he thinks pissing off one of our best allies is a good idea. Even if this has something to do with trying to gain control of the oil in the Arctic sea as the ice caps melt, I don't think alienating these countries is better than what we could have done with proper diplomacy. But that is yet another digression.

What I really wanted to focus on was how chaotic and haphazard his plan - if you can even call that - is.

You can't just take over another nation by declaring they're a 'Cherished 51st state', nor by bullying them with tariffs. At the end of the day, Trump is either full of bombastic hot air (possible) or he will have to actually try to invade Canada (which I also wouldn't put past him). 

Doing so would be fraught with legal questions. I think he'd need Congress to make a declaration of war. Even though we've had presidents do some questionable military activity without one, I don't think that will work in this case. I also don't know if whoever in the military he tries ordering to do so will recognize it for the illegal and unconstitutional order it would be without one. I would like to say they would, but we've had so many guardrails fail already that I am not as confident as I would like to be.

That makes it more likely than not that he's just full of hot air, but who knows?

What I do know is that if he led a brigade or a battalion the way he's leading the United States, then it would be a serious disaster.

Clear plan? Clear goals?

Nope. 

It's like he'd come out one day and say 'go take that hill', except that no clear battalion is assigned the mission, there's no clear coordination for the beans and bullets required, he also came out later that day and said that that they needed to take a different hill, and nobody knows if that means they don't need to take the original hill or not. 

And if one battalion commander decides to obey his unclear command and succeeds, Trump would talk about how great a leader he himself is and maybe even praise that commander, but if they failed he'd immediately bad mouth the commander and pretend he never gave the order.

It's all chaos and confusion, there's no clear chain of command and no clear hierarchy, no real responsibility taken, just pressure to do whatever crazy thing Trump wants. With multiple examples of him immediately bad mouthing and dropping anyone who fails in the attempt. 

Nobody really knows who is supposed to be doing what.

I have never been quite clear if he thinks he's clever and has some sort of actual plan, or if he's truly incompetent... but in some ways I think I'm grateful.

Because his leadership style is truly like a mafia boss. Given how law enforcement regularly monitors mafia bosses, they've all learned not to give a clear order or do anything that could get them in legal trouble - which makes sense for a criminal organization, but is a truly terrible policy when it comes to the military.

Anyways, Trump's 'leadership' during January 6 was like that. He never outright ordered his supporters to do anything illegal, but the ones who felt strongly enough to join him back then knew exactly what he was encouraging.

And they failed. I still don't think they had much of a chance of succeeding - even if they had disrupted the counting of the state's electoral votes, or had even managed to hang Pence. But they could have caused enough chaos and uncertainty that perhaps Trump could have held on to power. 

Maybe.

I doubt it, given the states had already certified their election results and the January 6th counting was purely ceremonial, but again - the guardrails are more fragile than I used to think, so who knows?

The thing is, though... if Trump had led from the front? If he had clearly walked with his supporters to Congress? 

Things might have been different. But he would also have had to clearly cross the line of legality, just like Julius Caesar crossed the Rubicon.

Anyways, I am dismayed that so many people seem to think Trump is exhibiting good leadership, even more dismayed when my fellow veterans support him, because when you look past the chaos and bombastic language, he doesn't seem to be very good at - executing.


(If you're interested in more like this, I have a Venmo link.)




Thursday, March 27, 2025

Common Sense Isn't

Although the specific examples here are different, this is related to an idea I'm letting percolate at the moment 

https://www.tumblr.com/tanoraqui/779184679453589504?source=share

Monday, March 24, 2025

Complexity and Abstraction in Coding and Government Work

 I have learned that when coding something complex, when you get bogged down in issues and start losign track of what is done the urge to just wipe it all and start over is often overwhelming.

And often, a bad idea.

Well, perhaps not with a specific program, but in general the existing code has already had a lot of bugs worked out. If you wipe that all away and start fresh, you will often face the same sorts of issues and have to spend time figuring out the solutions - again. 

That's part of why tech seems to just keep adding layers, instead of reworking a program in its entirety. There are times where a complete redo is a good idea, but most of the time nobody wants to spend the resources redoing something that is already getting the job done.

And so you get layer, on top of layer, on top of layer, until eventually it looks like that xkcd comic:



What's interesting to me is that over and over and over again I see this urge to simplify things, to reduce the complexity, to somehow make it easier to manage.

Except what tends to happen is that yet another layer gets placed on top, one that looks prettier and perhaps consolidates all the things you need to monitor... but it doesn't actually change the underlying structure, and in fact can even obfuscate it a bit more.

Which is all fine and dandy when things work, but someone still has to understand that structure - especially when something breaks.

There are a ton of tools for automating what we do, and for the most part I love them. If you have some complex task that involves doing hundreds of different things in the exact same order, the exact same way, every time - automate it! People are prone to error, they're one bad day or one interruption from skipping a step or repeating a step or adding the wrong input, and if you can build a pipeline or a script that does it all correctly, it's a great time saver.

But someone has to know the process well enough to create that pipeline or script. And if something needs updated, or upgraded, or modified, then someone has to know it well enough to make those changes too.

In other words - automation can't really replace the need for human expertise. Not completely.

Looking back, I feel like something similar happens with government programs and privatization.

The main belief I heard, growing up, was that 'governments have no incentive to improve, whereas competing businesses do. Therefore private businesses are more efficient, and it's better to privatize where you can.'

But... that's only true in certain circumstances. There are certain public goods that benefit society as a whole, but don't have great incentives for private companies.

I was thinking about that because I picked up Careless People (in a great example of the Streisand effect), and was reading about their reasoning for internet.org. Basically they realized that if they wanted to expand their userbase, more people needed to have access to the internet. So they created an organization that was supposed to encourage basic internet access.

Kind of like how in 1954 the NTCA worked to encourage telephone access in rural areas. Except it's important to note that the government helped a lot with funding these efforts.

In the private sector, the cost of connecting far-flung and distant communities isn't really worth the amount of money you can make from adding those customers to your business. Not unless you get the government to help tip the scale a bit.

And yet, although the wiki indicates that they did indeed cooperate with some governments for this, in the book it seems the initial focus was on building drones, satellites, and lasers to deliver the internet.

No talk at all about creating a program like the NTCA. 

Perhaps they thought those drones, satellites, and lasers would help create a profitable business? It does sound a bit like Starlink now that I think about it. I don't think Starlink has yet reached the point where the profits outweigh the costs involved in building the structure...

But I'll leave that to the corporate folks. The part I wanted to point out was that, at least initially, there didn't seem to be any realization that this is actually where you would want government involvement. That the public good of internet access is not something that private companies are likely to find profitable. Not once you get past dense populations where building the infrastructure easily brings in enough customers to pay for itself.

There is not a universal truth here, no situation where private businesses are always better, nor government funded organizations. 

They are different tools in the toolbox.

This also, in some ways, reminds me of my experiences in Iraq. Because in the interests of keeping the military small, quite a few services were privatized out. Supposedly it saves money in the long run, but when you spend a good decade or more in another country... you generally are paying more for those privatized services then you would if you'd kept it in house.

That's not even getting into the security concerns, especially when all the dining facilities are run by private companies who hire foreign nationals because their labor is cheap.

But that's a whole other conversation. What I really wanted to get at was this - even with privatization, the government still had oversight duties.

You don't get to just say 'here's a contract, have at it.'

Sure, they may be 'competing' with other private businesses, but ultimately the government is the funder and the one who decides which one gets the contract. And if they're not ensuring the company is doing the work as expected, even those private companies are prone to waste, fraud, and abuse.

This might not seem related to how I started this post, but I think at the core is a similar urge - simplify and abstract away the complexity.

Except it doesn't ever go away, not really. 

It's just hidden, and now you've got a bunch of people running around acting knowledgeable when all they have is a surface level understanding.

Another Update

 I've had an idea for a post tickling my brain, though I've mostly been focused on soaking up as much info as I can on how to find web vulnerabilties.

I've discovered that while the labs are kind of fun, you know exactly what you're looking for (it's often in the name of the lab), and when I go look at a real site the experience is - different.

I think I want to come up with a more systemic way of checking things. The site I was looking at may or may not have any vulnerabilities, and tbh it seems a bit more complicated than what I've been seeing in the labs. Still, I think that's part of what makes it good experience.

I saw something that I vaguely remembered had potential, went looking through my notes and spent most of today working on the labs for a Server Side Request Forger (SSRF). Then took that knowledge and tried checking for it, which (fortunately or unfortunately, depending on your perspective) doesn't look like it's actually a concern.

Anyways, it's still a large amount of information to take in, but the more I absorb the sooner things will start clicking.

And since the potential post is a totally different topic, I'll leave this update as is and see what comes out next.

Thursday, March 20, 2025

Update

 The last couple of weeks have been quite the emotional roller coaster.

I have also been thinking about how much our mindset affects what we experience.

I have always had some issues with beliefs like 'the Secret', because at the end of the day it basically puts the blame on you. If thought alone could get you where you wanted to be in life, then someone who is struggling in poor is just... not controlling their thoughts?

Something like that... it's kind of ugly, really.

On the other hand, I do get that perception shapes reality, and that how you perceive something affects how you response/react to it... and that such thoughts can create a self-fulfilling prophecy.

For example, if you assume something negative that happened was due to an attack and respond harshly, it can lead to developing a hostile relationship. If, however, you assume it was a one-off or an accident and don't respond harshly, you might just stop an escalating cycle of negative behavior and avoid a whole lot of misery.

It's hard to say for sure, of course. None of us are able to fully see alternative timelines. I do, however, believe I can sense when I break a typical chain reaction.

I don't want to go down that rabbit hole right now, though. Let me just say 'I have been considering how my thoughts are affecting my current reality'.

Sometimes I am doing quite well. I've been working through some labs online, practicing things like web cache deception or how to modify JSON web tokens or how to get around access controls. 

As I am thinking past my most recent bout of panic, I've actually been learning a LOT in the couple of weeks. I mean - my last official day at work was 7 March, and even though I had been reading through the Web Application Hacker's Handbook before that I had hesitated to configure my laptop for the work because I still had the two work laptops to deal with and officially still was checking in at work in case I was needed for something.

Since then I have installed Burp Suite, run through The Burp Suite Cookbook, explored one of the programs in a Vulnerability Disclosure Program, and basically been immersing myself in bug bounty hunting.

I probably should say 'hacking', but even though I understand the subcontext of 'someone who thinks outside the box, who explores a system and finds unique and unexpected ways to take advantage of the system's flaws' and don't really have a problem with it when it comes to white hat or grey hat hacking, in my head the term still refers to teenage boys trying to prove themselves by doing stupid stunts purely to prove they could.

Like - I could care less about pwning someone, or doing the tech equivalent of comparing dick sizes. 

But that's more a caricature of a hacker than reality anyway, and I do have a lot of respect for the people who have the technical skills to find and exploit flaws.

I am digressing again. Anyways, the thing is that when I stepped away from the labs and went looking at a real program, it felt a little overwhelming.

At least in a lab I know what I'm looking for. I know if I should be trying to do a path traversal or playing around with the login fields or whatever. Checking a site where I'm not even sure there's going to be a bug?

One that has much more complicated login features? Like 2FA? One that has jsession cookies and JSON web tokens?

Yeah... it felt like I went from the kiddie pool straight into the deep end.

But when I got past the emotional impact and really thought about it, I remembered a couple of things.

First, some of what I listed above... which is that I've already absorbed quite a bit in less than two weeks. I have experience with massive data dumps... periods of time where the metaphor 'drinking from a fire house' does not feel like much of an exaggeration.

And I have always done well. I just soak it all up, and eventually I start making connections and it all starts fitting together.

Right now I'm still in the early stages, where there's a massive amount of information and I don't quite know how it all fits together.

But if I have the time and the resources (and there are a LOT of resources on this), then I can and will get there.

It's like a coworker said regarding my previous position a few months back - I started out new and inexperienced, and before the year was out I was one of the go-to people. Someone who was asked for input on complicated issues by people who had been working there long before me. 

I also took a bit of time to look up some more advice on bug bounty hunting. Not the basics that I've been soaking up, but advice better suited to where I'm at on this path. And it's interesting that so many of them say 'don't switch programs too fast'.

It seems that - given most of these are public programs where others already have been looking for bugs - the true experts really get to know the applications they are investigating. They don't simply spend a few hours doing a superficial check and then decide it's not worth it. (Okay, apparently they might do that as they built up experience and their intuition plays a role, but that comes later).

I think I really have to dig into whatever app I want to focus on, on a deeper level. It's actually rather ridiculous to give up after only one day. I've heard some of the bug bounty hunters talk about taking weeks

I had already investigated that a bit before I even looked at this site and I knew it going in - but emotionally it's a whole other story.

Because emotionally...

Emotionally I'm thinking 'I only have so much time before I will be forced to make some painful financial choices'.

Even if I'm confident that I have the capability to learn and do this, I am not confident that I can make a living at it. 

Especially not before I work through my reserves.

And that's really the issue, isn't it? 

That mindset and those fears seem like a subconscious trap, something that would sabotage my efforts before I've even really started.

They might not be invalid - I only have so much leeway before things get ugly.

But if I let them control me now, then I feel like I'd be giving up before I even really tried.

Wednesday, March 12, 2025

Update

 As I have indicated before, my company has gotten serious about working in the office and I have been let go.

To be honest, I got most of my freaking out done before it actually happened. Based off the conversations I had with my manager, I knew that if I continued to refuse this was likely to happen.

In some ways, having it happened actually came as a relief - no more wondering when the hammer would fall. 

Given I had some prior notice, I had finally gotten around to reading my version of The Web Application Hacker's Handbook, and...

I understand quite a bit about how it works.

Oh, I have realized (especially as I work through some of the labs on the PortSwigger site, as well as a book on Burp Suite from my account with O'Reilly) that understanding what's going on behind the scenes does not really mean I can open up a website and easily knock out an sql injection.

On the other hand... Burp Suite is a powerful tool, and while I'm sure the true experts will grumble about 'script kiddies' and whatnot, if it can automatically test for that I don't think I need to reinvent the wheel and inject it myself.

Well, I mean... I want to, eventually. But as my father has said - if you do it often enough you'll memorize it, and if you don't you'll forget it. 

I think I just need to build up experience and I can do it without having to look things up, too.

So anyways...

I think I'm going to try being a bug bounty hunter.

Seriously.

I am... concerned about whether I can earn enough money to pay the bills. Looking around online gives mixed messages.

Some people have done really, really, really well, but they might just be the special exceptions. Others have not done so well, and only hunt for bugs as a hobby.

Digging into it a little deeper, it does seem like most of those are the ones - like I have met in my professional career - who generally have a superficial knowledge and don't dig into things that deeply.

If that is true, then I don't think I need to worry. After the last five-six years I have realized I'm actually quite good at digging into complicated things like this.

I have also repeatedly heard professionals say that there are a LOT of bugs out there, so it seems like I should be able to find plenty.

Maybe.

It seems a bit like a gamble to be honest. Potentially great pay off, potentially a huge disaster (or maybe it will just give me some experience to put on my resume and then go back to some sort of company payroll).

For now, however - I have a plan. I have the capability and the resources to follow the plan. And I really want to try working for myself.

It has been... rather nice so far, actually. So long as I don't dwell too much on how I'll pay the bills once I've worked through my safety net.

I've been trying to somewhat keep the same business hours, just firing up the computer and playing around with Burp Suite and the OWASP vm and the PortSwigger labs. It's rather fun, even. Like 'Oh! That is how they do it!'

Some of it is quite clever, too. Like figuring out what a legitimate username is based on how long it takes the application to process a login attempt with an invalid password. I'm really impressed with the people who worked out some of these tricks.

I really hope I can make this work permanently.