The last couple of weeks have been quite the emotional roller coaster.
I have also been thinking about how much our mindset affects what we experience.
I have always had some issues with beliefs like 'the Secret', because at the end of the day it basically puts the blame on you. If thought alone could get you where you wanted to be in life, then someone who is struggling in poor is just... not controlling their thoughts?
Something like that... it's kind of ugly, really.
On the other hand, I do get that perception shapes reality, and that how you perceive something affects how you response/react to it... and that such thoughts can create a self-fulfilling prophecy.
For example, if you assume something negative that happened was due to an attack and respond harshly, it can lead to developing a hostile relationship. If, however, you assume it was a one-off or an accident and don't respond harshly, you might just stop an escalating cycle of negative behavior and avoid a whole lot of misery.
It's hard to say for sure, of course. None of us are able to fully see alternative timelines. I do, however, believe I can sense when I break a typical chain reaction.
I don't want to go down that rabbit hole right now, though. Let me just say 'I have been considering how my thoughts are affecting my current reality'.
Sometimes I am doing quite well. I've been working through some labs online, practicing things like web cache deception or how to modify JSON web tokens or how to get around access controls.
As I am thinking past my most recent bout of panic, I've actually been learning a LOT in the couple of weeks. I mean - my last official day at work was 7 March, and even though I had been reading through the Web Application Hacker's Handbook before that I had hesitated to configure my laptop for the work because I still had the two work laptops to deal with and officially still was checking in at work in case I was needed for something.
Since then I have installed Burp Suite, run through The Burp Suite Cookbook, explored one of the programs in a Vulnerability Disclosure Program, and basically been immersing myself in bug bounty hunting.
I probably should say 'hacking', but even though I understand the subcontext of 'someone who thinks outside the box, who explores a system and finds unique and unexpected ways to take advantage of the system's flaws' and don't really have a problem with it when it comes to white hat or grey hat hacking, in my head the term still refers to teenage boys trying to prove themselves by doing stupid stunts purely to prove they could.
Like - I could care less about pwning someone, or doing the tech equivalent of comparing dick sizes.
But that's more a caricature of a hacker than reality anyway, and I do have a lot of respect for the people who have the technical skills to find and exploit flaws.
I am digressing again. Anyways, the thing is that when I stepped away from the labs and went looking at a real program, it felt a little overwhelming.
At least in a lab I know what I'm looking for. I know if I should be trying to do a path traversal or playing around with the login fields or whatever. Checking a site where I'm not even sure there's going to be a bug?
One that has much more complicated login features? Like 2FA? One that has jsession cookies and JSON web tokens?
Yeah... it felt like I went from the kiddie pool straight into the deep end.
But when I got past the emotional impact and really thought about it, I remembered a couple of things.
First, some of what I listed above... which is that I've already absorbed quite a bit in less than two weeks. I have experience with massive data dumps... periods of time where the metaphor 'drinking from a fire house' does not feel like much of an exaggeration.
And I have always done well. I just soak it all up, and eventually I start making connections and it all starts fitting together.
Right now I'm still in the early stages, where there's a massive amount of information and I don't quite know how it all fits together.
But if I have the time and the resources (and there are a LOT of resources on this), then I can and will get there.
It's like a coworker said regarding my previous position a few months back - I started out new and inexperienced, and before the year was out I was one of the go-to people. Someone who was asked for input on complicated issues by people who had been working there long before me.
I also took a bit of time to look up some more advice on bug bounty hunting. Not the basics that I've been soaking up, but advice better suited to where I'm at on this path. And it's interesting that so many of them say 'don't switch programs too fast'.
It seems that - given most of these are public programs where others already have been looking for bugs - the true experts really get to know the applications they are investigating. They don't simply spend a few hours doing a superficial check and then decide it's not worth it. (Okay, apparently they might do that as they built up experience and their intuition plays a role, but that comes later).
I think I really have to dig into whatever app I want to focus on, on a deeper level. It's actually rather ridiculous to give up after only one day. I've heard some of the bug bounty hunters talk about taking weeks.
I had already investigated that a bit before I even looked at this site and I knew it going in - but emotionally it's a whole other story.
Because emotionally...
Emotionally I'm thinking 'I only have so much time before I will be forced to make some painful financial choices'.
Even if I'm confident that I have the capability to learn and do this, I am not confident that I can make a living at it.
Especially not before I work through my reserves.
And that's really the issue, isn't it?
That mindset and those fears seem like a subconscious trap, something that would sabotage my efforts before I've even really started.
They might not be invalid - I only have so much leeway before things get ugly.
But if I let them control me now, then I feel like I'd be giving up before I even really tried.
No comments:
Post a Comment