tj0

506 Variant Also Negotiates

2025-06-25T00:01:27-07:00

506 Variant Also Negotiates

You Owe Them Your Audience

I wanted so badly to be a software developer. While I was washing dishes in my late 20s, after a particularly vicious deconstruction of life, I got an opportunity — with a condition:

Move north, or get lost.

I spent my last dollars on gas, driving around to prospect potential rooms for rent. Why?

Because RG told me he wouldn’t hire me unless I lived in Vantucky.

That effort got me in. I “championed” my way into the industry.

A couple years later, at the next gas company, I got my first review.

“You’re not what we thought you were, so you don’t get a raise.”

Excellent feedback — especially in an annual review where no expectations were ever clearly set.
AR was cool. But he never offered actual feedback in our 1:1s – and then dropped that bombshell.
I jumped ship.

Next stop: an energy consultancy. The pattern started again.
Missed 1:1s. Fire drills out of nowhere.

“Write SMART goals. We’ll use them in six months for your review.”

How do you write goals when the company doesn’t offer… anything of value?
:shrug:

It was easy, though – so I studied. I learned.
Eventually, I got an offer I couldn’t turn down. When I gave notice, my manager said:

“Wow. I’ve never promoted someone and then had them quit.”

Well. Look in the mirror.

Servant Leadership Isn’t Optional

Servant leadership means being in service to your reports.
Your job — first and foremost — is to make your team successful. Everything else is secondary.

Your TM’s failures? Yours.

Their successes? Theirs. If you did your job right, maybe you get a mention in the credits.

You are responsible for providing the resources, the budget, the people, the mentorship, and the consistent AUDIENCE – so they can deliver for you, and you can deliver for your boss.

Missing 1:1s, rescheduling them, or pushing them to async is a massive pet peeve of mine.
Inexcusable.

This industry is isolating by default.
I need to speak to my manager, regularly.
Otherwise, I’ll lead myself – and then start wondering why I’m even here. Again.

If you’re in leadership, you owe your people – your team – your audience.
If you’re an IC, you deserve your manager’s audience.

Demand it.
Or deliver — and find somewhere that will give you what you deserve.

510 Not Extended

2025-05-07T18:03:55-07:00

510 Not Extended

I’ve been bad

Engineering doesn’t want to work with me. Hell, we’re not on talking terms. Leadership wants answers that only I can provide, because I pierced the veil, and now, hard questions are being asked. I’ve done bad to be good, and it’s all wrong now. Everything is fucked; long live the fucking.

I cannot count the number of nights my kids have been laid down to sleep without a kiss from me, a wish for sweet dreams. A final touch before they expire to dreamland. I cannot count the days I’ve said, not right now I’m still working. I just need to solve this one last problem for the day, that bleeds into another, into another. I swore I would be the present parent I never had, and yet. I’m the opposite. I’m teaching them my job is more important than them because why? I see their lavish birthdays, christmas celebrations. I see their happiness when they get so many new exciting things, but I also feel how good it is when they finally get a moment with Dad. That raw, real love. And it hurts me.

I’ve been bad.

I stand on many hills. My opinions are very strong across a broad range of topics, and I’m highly technical. I’m a general specialist across the entire infosec range from network engineering to web application pen testing, and I can likely right a textbook on applied application security at this point. But at what cost? I will never get back the hours I spent in the office while my only born son took his first steps, or said his first words. I’ll never build the trust with my stepdaughter required for when the first boyfriend breaks her heart. I won’t remember the early days of their childhoods because I wasn’t there. This industry required my attention more than my life.

DEADBEEFAGAIN

This isn’t a post for pity. This is a post of realization. A moment of clarity, even. I’ve been given invaluable insight into myself as of late, and I am committed to change. There are some unchangeable truths, and there are some lies that need correcting. As part of this universal gift, I intend on giving back to that which I’ve gained so much. These are some immediate thoughts, and lessons.

The past is unchangeable

I have found roughly 2/3s of the ways to fuck up standing up an appsec program. I’ve been directly responsible for about 1/3 of those. Diplomacy matters. Hubris is deadly. And, I should’ve known, SDEs don’t like anyone playing in their sandbox. They don’t even want anyone looking in the general direction of their sandbox. I thought I learned my mistake but it’s become abundantly clear my personal injury around being an outcast simply by changing to “the other side,” bleeds deep into my communication – and I need to change that. Shit happens, best you can do is make ammends, pay reparations, and move forward.

I have to accept that up until even this evening, this choice of industry has stolen my children’s father. No. Their father gave himself to this industry. It’s a story as old as Capitalism itself – absentee fatherism. There is a lot of cognitive dissonance in that statement, and when I look in the mirror, considering my own upbringing.

Best intentions with personal effort without adequate support throughout an organization can be interpreted as malicious compliance in the best of times. Had I known what was going to perspire over the past two years, I would’ve changed my attitude on the outset. You cannot change the past.

The present is now

The universe works in mysterious ways, and a confluence of factors lead to moments that breed growth. My time in this space is growing to a close. At least in the capacity I’ve been functioning in. As part of growth, a human moves through stages of development, proficiency, mastery, then into the cycle again. While I’ve been engaging in personal growth opportunities, an individual of late has brought light to my being that I’ve not witnessed in some time. The challenge, the truth, the judgement is something I don’t need; my hubris nods.

I am working on myself, and how I present myself to the world. I’ve spent decades in the dark, in the terminal. A ghost in the machine, per se. However, that need not be the case as I’m learning, and in fact, I might actually offer value instead of letting this… industry consume me like a virus. I can be an immunoresponse, and I should give back to the community. I can give back to software developers, open source maintainers, and the inexperienced. If cyber benefits? Cool. If not? Get fucked.

Things are changing, per usual, and this focus on AI is reckless. Tonedeaf leadership dictating that individuals will be evaluated on their use of AI during performance reviews is self defeating. Your best talent will not leverage AI the same way your worst does. The quality of work produced will be wildly different, all the way down to the minutes of revision per iteration. Forcing this down your people’s throats because of your own fear signals a massive uncertainty in your vision – you don’t trust your own value to the market. :facepalm:

The future is inevitable

I have a head full of brains, and am trying to find a voice to make sense of it all. I need to change this relationship; it’s not working. It’s you, and me. And regardless what LinkedIn says, I think a lot of you, like me, feel this way. I should’ve set stronger boundaries. You shouldn’t have been so thirsty. We both fucked up. This isn’t working. No, there will not be goodbye sex. I’m not going away. I’m changing where I stand, and how we interact.

There are some major conferences coming up – I’m missing the two biggies – but I will be speaking. I will be airing grievances. And I will be offering solutions for every appsec soldier that’s drinking themselves to death, giving up their lives, for a thankless, tonedeaf CEO somewhere else. We might have to sit silent next week, and the week after. But, sometime soon…

I’ll stand up and say “I told you so.” The reason for that comment will be either a good thing, or a bad thing. It’s up to someone else to figure that out between then and now. #appsecsux

503 Unavailable

2025-01-01T17:03:55-08:00

503 Unavailable

fuck

Alright. It’s out there. The “word.” Should I have written cunt? It is one in the same, depending vernacular and/or region. Regardless. That’s out of the way. I want to discuss something. A short story first.

A lowly, quiet web server sits, marginally neglected but happy pumping its packets in response to requests. It has no ports open other than those to serve simple text files, and it doesn’t accept inputs, so it just lives, you know? Just does its job. Then, one day, this web server decides it wants a little more out of its life. It decides to not just serve a web site but to serve a couple others, you know, because web rings were becoming a thing and it thought that would be fun, and maybe it would help share resources. That worked for a while.

The web server was happy. It had friends. It had socialization, and its resources were finally not living in idle, but bits were moving. Things were aching a little, but that was because the things that hadn’t moved for a while, were moving. It was ok though, and it was happy. It did its job relentlessly, and shared those resources unrequit3d. 1t was happ4.

Th3 web s3rvR started to str#g&l3. It kept phi$h!ng but eventu4lly. It f41l3d. The software didn’t realize the hardware was g1ving 0ut. T0o much inpu+ with0ut enough throu&h4ut, or a h34rt big en0ugh to accommod4t3 all the pressure equated to total fai========0xFFFFFF—-no0p

0xd34db33f

2024 was a loss. The web server burned out. It went on to hack together solutions for self preservation, because it had child links to support and retain. Its peers didn’t care for its efforts, just their own preservation. Its adminstrator was happy it produced something as it meant they had another breath to breathe, but that means little to the little web server. Till next year…

The web server will persist.

Ok. Let’s talk about the culture of tech. Or moreso, let me tell you my perception of tech. Your opinion doesn’t matter anymore than mine. We both have assholes, so we’re level. Find your exit, if you don’t want to read this. Paper’s just to your left. No skid marks allowed in this house.

Just because you write code, doesn’t mean you are authority. Just because your “level” in an org is higher than another’s doesn’t mean a goddamn thing unless you’re day 1 in a startup (even then – day 0 doesn’t mean you’re superior). Just because someone does something parralel to your perview without acknowledging you, nor requesting your permission, doesn’t mean they are wrong.

Decreasing salary offers based off of physical location is garbage. A persons talent is NOT worth less based off their physical location. Point blank. SV mindset must die. Pay me or get fucked. Per Bezos, disagree and commit, regardless delivery method of the message. We’re in 2025 – I don’t need to smell your farts, nor you mine, to know who is working. We have tickets, roadmaps, KPIs, OKRs, MVPs, and QBRs, right? All the acronyms that don’t mean anything impactful – a physical presence in an office, or proximity to one, doesn’t decrease the value of a person’s time for money.

I am a coward. I don’t take confrontation on the chin. But I will think, and I will write, and I will respond, oftentimes at inoppertune times, and more often than not I fuck things up. And I’m starting to think a lot of people in security, or seasoned people in tech, realize this trait and we hide. Then, we respond. Sometimes it works out. More often than not lately, I’ve seen people completely fall off. This is a toxic signal. We need to do better. So…

I’m fucking done hiding.

I’m burnt out. I want out. I want better. I need better.

Alcohol is a huge thing we don’t talk about but is always around. Show me a founder, show me a senior + level developer/engineer, show me an authority of some type that’s not or hasn’t had, a problem with alcohol. It’s an issue. We glorify the parties, the nightcap, the Friday let loose. What’s happened instead? An entire industry of alcoholics only operating at 35% because every night, and every weekend in excess, they’re ingesting poison.

If we really gave a shit, and wanted to execute change in this world we all share, alcohol would not be a fixture. We would leverage a clear mind, all the time. Champion sobriety as superior to inebration. The Ballmer Peak is bullshit, I rather meet Gaia on two points and a few grams for enlightment than spend three days repaying a night’s debauchery. My brain cycles are too expensive anymore. I have given too much, and am tired of CEOs touting their expensive spirit as a signal of a good time, especially when their belligerent ass can’t even recognize a three year employee. “Hi Mr CEO, never shook your hand, glad to meet you.” “Oh shiiiittt hahahah, I need to pee.” Fucking shameful.

Do better. Me. You. Them. The webserver is cooking.

403 Unauthorized

2024-10-04T18:03:55-07:00

403 Unauthorized

Let’s talk about the state of Application Security

Alright. It’s been a looong while. Not much has changed since my last post. Still toiling away as the sole appsec engineer at \company\, still catching more misses than wins. I’ve come to accept that this specific position in this specific company was never set up to be successful, or that success wouldn’t be as simple as pushing a few code commits, or collaborating with the engineering org to get shit done. Nope. That would be far too easy given how my career has progressed over the past decade.

A major contributing issue I’ve identified seems to be the turnstile that is leadership. In the past 18 months, leadership throughout the company has seen significant changeover, or simply outright attrition. Budgeting has been trimmed of all excess fat. Engineering itself has been cut down to half the size it was, and the resources that still exist are performing amazingly well given every one person is producing the output of at least two warm bodies. Everyone is oversubscribed, and the seemingly semi-annual restructuring has a lot of people feeling burnt out and trapped.

Secondly, for a short stint infosec was in the same org as engineering, and that pretty well confused the hell out of a lot of people. We’re not there anymore, but the belief that infosec is still under the control of engineering has persisted. This has made us getting things done exceptionally hard, especially since budget allowances became somewhat muddy as did ownership of tooling. Hopefully you see how this can be properly problematic for appsec – security tooling that impacts engineering efforts lands in a grey area.

Regardless, I don’t get budget anyways. I don’t get the resources I need to be effective, and as such engineering leaders are of the opinion that security doesn’t do anything. When security does do something, they don’t do it right. Sure makes a guy feel good about themselves when they’re putting in 10+ hour days and sacrificing their mental and physical health while watching their childrens’ childhoods blow by with nothing more than short glimpses of it.

Appsec is arguably the most difficult security job I know of. Relationships have to be cultivated so that the people that are supposed to do the implementation work, will do the work. Much of the hands on keyboard efforts are supposed to be delegated out to other people – and you have to take their word that they will do the thing. When they don’t, and you miss goals you defined per their commitments, you look like you’re ineffective. So, you go to do the hands on keyboard work yourself, and instantly people are pissed off because you didn’t get their blessing to do your job.

It’s bad. The state of application security is bad.

It’s not all lost, though

I defined plans and architected this program almost a full two years ago, and I’m confident that once we overcome the hurt feelings and the animosity towards infosec controlling the narrative regarding the true risk profile we’re currently in, in regards to engineering, that the program will be one of the most robust in the industry – not just for a company of our scale.

I think we have the right people listening now that will help shift the focus away frmo me being the enemy to what I’m really trying to do. That is, help people be better at what they do while protecting the company from showing up in the next big headline. Given our position, and the products we’re releasing, if we were to suffer a breach due to a vulnerability in our software all several hundred of us will be looking for new jobs. Job hunting in this climate? I would rather have my toenails removed with pliers.

For the first time since budget cuts started last year, I am finally hearing whispers that I might get budget for tooling. I can run SAST with some awesome open source tooling just fine, but SAST is a massive time waste without DAST to really focus efforts. My hope is early next year, I’ll finally get this cornerstone software and really be able to get shit moving.

I had pushback against DAST last year because, “the current security posture is terrible. We need to fix that before we add more tooling.” Whatever, we can’t fix the posture if we don’t know what to fix, and I’m now of the mind that I’ll do security things outside of engineering’s view and filter tickets through the vulnerability management program our awesome TPM stood up. There’s no need to have engineers learn a new tool, and if there’s going to be so much pushback against the shift left effort, that’s fine. I’m all for concurrency, and frankly rather engineers not be looking at security tooling anyways.

How, what, and where Communication happens matters. A lot.

200 Sucess

2023-02-09T12:06:29-08:00

200 Success

Mapping repository dependencies with Github CLI and Python

I transitioned into my new role as an application security engineer, and immediately started diving in on a Shift Left effort. My goal for the first quarter is to get static analysis running on every developer’s local system using semgrep. I had hit the ground running, was making progress, and as per usual in infosec we had an urgent request come in for a potential client.

The request was simple enough, something along the lines of “Legal needs a comprehensive list of all the open source dependencies our software uses. We’re trying to get the contract out within 30 days.” Cool, cool. So basically a promise was made to the potential client and we have to deliver this artifact like, last week.

I figured a request like this is common enough, and we even have a tool called https://www.cidersecurity.io/ which provided supply chain data. So, trying to be efficient I thought, well let’s just export the list of all the things, narrow the list down to production only repos, then de-duplicate. Done! But, as any senior engineer knows if it’s that easy, something isn’t right. Well, in this case when trying to export a CSV with 36k records, the request times out on Cider.

Ok, so that won’t work. I’ll just use the Github API, and I’ve been wanting to expand my golang chops. This should be a great opportunity for that!

Well, golang is kind of an asshole and picking up some syntactical details I’d glossed over in the Golang for dummies tutorials I’ve read came back to bite me. Finally I got something going but there was a problem — my personal access token was only fetching my personal repos on Github, not the repos associated with my organization. Off to another adventure into the depths of Github documentation to figure out something else I didn’t know I didn’t know, which was cool because now our organization has PAT access hardened (another quick win).

TL;DR: I was finally able to fetch all the repos within my organization using https://pkg.go.dev/github.com/google/go-github/v50/github.

BUT another problem — there’s no f’ing way to fetch a repository’s dependency map via Github’s RESTful API :facepalm:. To do that, you have to use the GraphQL API, which was yet ANOTHER language I had to pick up. Truth be told, I gave up on this effort after about three hours of head bashing and much colorful language.

Then something amazing happened… a fellow engineer cough thanks @spaceB0xx cough sent me this link https://github.com/andyfeller/gh-dependency-report and said “maybe this will help.” A quick review of the code sparked my interest and I went to bed hopeful. The next morning I got up, logged on, and ran:

gh extension install andyfeller/gh-dependency-report
gh dependency-report Organization backend-service

A REPORT WAS GENERATED! I vengefully deleted the three directories containing various attempts for doing what this extension did in about 30 seconds, and proceeded to run:

gh dependency-report Organization
^C

I Ctrl-Ced as soon as the massive list of 600+ repositories appeared as we have a ton of dead repos, internal tooling repos, playgrounds, etc. I only needed ~170 of these repositories in the resulting report so after cleaning up that list I was able to run the extension with the admittedly still massive list of repos and go for a walk. When I returned, we finally had a 25MB file containing a list of all production-impacting dependencies and I was on to the easy part: de-duplicate the list, break the list down into separate files containing language specific dependencies, remove internal dependencies, and produce one last file listing the unique licenses on each of those dependencies.

I won’t cover what this code does line for line, but after a couple hours of hacking this thing together we have our deliverable in hand, and tooling to make sure when the next request of this kind comes in we aren’t scrambling like we were this time round.

import csv
import pandas as pd

FILE_NAMES = {
    'PIP': 'python_dependencies',
    'NPM': 'javascript_dependencies',
    'COMPOSER': 'php_dependencies',
    'NUGET': 'dotnet_dependencies',
    'ACTIONS': 'github_dependencies',
    'RUBYGEMS': 'ruby_dependencies'
}

with open('full_dependency_list-prod-repos.csv') as file_in:
    print('[!] Processing report....')
    csv_in = csv.DictReader(file_in)
    keep_fields = ['Dependency', 'Version', 'License Type', 'License URL']
    outputs = {}

    licenses = set()

    for row in csv_in:
        pkg_manager = row['Package Manager']
        # open new file and write the header
        if pkg_manager not in outputs:
            file_name = pkg_manager
            if pkg_manager in FILE_NAMES:
                file_name = FILE_NAMES.get(pkg_manager)

            print(f'[!] Creating {file_name}.csv....')
            file_out = open(f'{file_name}.csv', 'w', newline='')
            dw = csv.DictWriter(file_out, fieldnames=keep_fields)
            dw.writeheader()
            outputs[pkg_manager] = file_out, dw

        # fetch only the fields we want
        fields_to_write = {
            'Dependency': row.get('Dependency'),
            'Version': row.get('Requirements'),
            'License Type': row.get('License'),
            'License URL': row.get('License Url')
        }

        # write the row
        outputs[pkg_manager][1].writerow(fields_to_write)
        licenses.add(f'{row.get("License")} {row.get("License Url")}')

    # close all files
    for file_out, _ in outputs.values():
        print(f'[!] Closing {file_out.name}...')
        file_out.close()

    # generate licenses file
    license_out = open('unique_licenses.csv', 'w', newline='')
    license_header = ['License Type', 'License URL']
    dw = csv.DictWriter(license_out, fieldnames=license_header)
    dw.writeheader()

    for lic in licenses:
        temp = lic.split(' ')
        fields_to_write = {
            'License Type': temp[0],
            'License URL': temp[1]
        }
        dw.writerow(fields_to_write)

    license_out.close()

for f in FILE_NAMES:
    file_name = FILE_NAMES.get(f)
    print(f'[!] De-duplicating {file_name}.csv....')
    df = pd.read_csv(f'{file_name}.csv')
    df.drop_duplicates(inplace=True)
    df.to_csv(f'{file_name}.csv', index=False)

print('[!] Done!')

Hopefully this helps someone else out there faces with a similar problem. Thanks for reading.

404 Not Found

2023-01-04T15:20:29-08:00

404 Not Found

It’s been a while…

This place is dusty. I’ve been MIA for a while, at least on the blogging front. Despite that, I remembered, “oh shit, I have analytics for my blog, I wonder how it’s been doing.” 2022 was a wild year, to say the least. In January traffic peaked out at just shy of 1400 visitors on the biggest day, and in July… I have no idea what was going on but there were several 5,000+ visitor days. Anyways, that made me consider whoever is actually reading this content might be curious where the hell I’ve been.

I’ve been everywhere, man.

July of 2021, I accepted a new position as a senior software engineer on a platform team at a pretty cool company. The team I was on was composed of some of the best engineers I’ve ever had the privilege of working with, the company is 100% remote first, and the best part is they saved me from suffering in PHP land any further. I FINALLY ESCAPED THE TRAP! Python and Node are the flavors of choice here, and yes I’m speaking in present tense because I’m still with the same company.

All hasn’t been great, though. Within two months of my start date my EM and principal engineer left. Two months later, two other senior engineers left. And finally, in December the last remaining original team member departed. Talk about a soft landing — I show up and everyone leaves the room. Awkward…

In the midst of this chaos I did see an opportunity though. For the previous couple years I had entertained the idea of transitioning into people leadership. The reasons were varied, and somewhat driven by what a typical technical tract looks like — you get to senior, sit there for half a decade, then maybe make staff, then after another decade maybe make principal. All the while salaries stagnate at a certain point, and to me, you end up picking up a ton of people leadership responsibilities while still juggling the expectations of being highly productive. Why would you want to be accountable for people reporting to you while also juggling exponentially more technical problem scopes? Not for me, or at least I thought that then.

Instead, as my team hired on two new engineers and brought two others from another team into the fold, I stepped up as the team lead. Given the team’s EM was technically the entire platform organization’s director, I was picking up a ton of EM tasks and progressively being pulled out of heads down coding time. After months of doing that, my team and I pushed to make me the official EM. #careermilestoneachieved!

For those of you considering this transition, take heed to this next piece of advice.

Transitioning to leadership is way harder than you comprehend right now, and it is not for the faint of heart. Expect your working hours to increase by at least 50% initially, and to make more mistakes than you’ve made since you were a junior engineer. Don’t expect to just pick up the title and run. I know you won’t listen, but I feel compelled to tell others considering this transition as the time since my promotion to EM has had a lot of negative impacts on me personally despite providing exponential opportunities for growth that I didn’t know existed. I’ll write about all that at a later time, though.

This brings me to now.

Given I’ve figured out being in people leadership isn’t what I want to do, at least not right now, I interviewed for an internal senior appsec engineer role and received the offer. I’m finally getting back to what I was doing before I left the last company, and getting to repeat almost exactly what I did there, just here. The fact that this company provides so much flexibility, and opportunity, for their people to do the things they’re passionate about while enabling employee’s personal growth is by far my favorite trait about this place. I’ll be stepping down as the EM for my team (much to their disappointment) at the end of January, and I cannot express how excited I am to have some semblance of work life balance back. To be able to put my work down at the end of the day. To be fully present with my kids and partner again. Plus, I’ll be getting to engage in offensive security shenanigans while helping engineers throughout the entire engineering organization level up.

That’s it. That’s the TL;DR: of what I’ve been up to. I’ll be dropping some additional entries alongside this one that I’ve had in draft state and just haven’t touched in some time. I know this one is personal, and atypical of most of my other content, but at this point I’m going to be pivoting this blog to be a public journal. Maybe I’ll be more consistent. Unlikely, but maybe.

Take care.

500 Internal Server Error

2021-01-15T19:13:00-08:00

500 Internal Server Error

A malformed request. A stray character. An array where an object should be. The wrong HTTP request type. We’ve all experienced 500 errors when integrating with a new API, or an old API. We’ve seen 500’s when doing our own development; dived into logs, added print_r and echo at each step. Pulled out a debugger, even. gdb or xdebug. In pursuit of finding the how to the why, trying to understand.

But what happens when our brain returns a 500? How do you deal with that? What do you call it? We’re not servers. Our brains aren’t a precisely engineered composition of silicon, copper and lead, with microscopic transistor orchestrating mental operations. Our brains are composed of various classes of organic matter and compounds. I believe we can refer to a human’s 500 Internal Server Error as burnout.

I’m burned out.

I spent 2020 working. Working through the pandemic, through the riots in Portland, working through the signficant workforce reductions my employer imposed. I worked through weekends, through holidays, through everything. While the world tried to rip itself apart, my employer somehow mustered the power to pull my coworkers and I closer than ever. The volume of crises increased, so much so that even on the days I tried to take PTO (two, to be exact), I was pulled into triage calls and meetings.

Everything has suffered. My family is struggling to stay together. My dependents are starved for me. I’m starved for me. I just need to find the bug, the stack trace that cryptically says where everything went sideways. By understanding the failure, I will find the fix, and understand how to prevent this from occurring in the future. Without finding the fault, I’m at a loss.

This isn’t an intermittent failure on a vendor’s system. This is persistent and replicable.

I know posting something like this may compromise future opportunities. It may be too personal, or show too much of where I’m at right now for me to be appealing. That’s another funny thing about burnout; apathy. I don’t care. I haven’t posted since October. I need to write something. So why not write what I know so many of my colleagues are feeling. You fault me for being burnt out, I don’t want to work with you. Period. I own my choices. My position doesn’t accommodate me taking time – “we run lean.”

I am human. Not a cog in your machine.

Recovery

I watched this video and a lot of things clicked. I’ve been a complete asshole for months. Unreasonably irritable with the smallest triggers, depressed, anxious, uncommunicative. Hell, I don’t even really talk to my shrink. I’m paying $150/hr to only brush over surface shit with a stranger. A stranger a decade older than me that probably envies me for my income. Part of the generation that despises my generation. Productivity is.. comical.

I’m apothetic. I care enough to realize that I need to continue to meet baseline so I can support my way of life, but not enough to give any extra. They’ve taken enough from me, and I’m too tired to do anything more.

I’ve realized a change is no longer a feature request, but a requirement. It’s not a nice-to-have library. It’s stdio. I’m not sure if moving to another employer, where my personality will allow yet another manager to completely and totally exhaust my resources is the right choice, or pivoting to consulting is the way. However, running a business in my state? That’s a sure route to failure. Kernel panic.

My biggest regret and most missed aspect of doing what I do is building.

I just want to write code.

No clients. No tech support. No meetings. Just me, my IDE, and my headphones.

I’m tired. Happiness doesn’t exist at the bottom of the bottle, don’t ask how I learned that. Adaptogens are near useless when you 500, and talking to your superior (you know, the people that dictate whether you’re paying your bills next month) is a double edged sword. Asking for time off is always a gauntlet.

At this point, I’m at an impasse. If I don’t get five business days off without interruption, without being pulled into triage or some “must attend” meeting, then I don’t think I have a choice but to force a change. The future is unknown, but I know I cannot continue with what the past has shown me. One should not be dehumanized to the point of self-elimination by an employer.

I thought I was stronger than this.

In short, I don’t know what the road to recovery is. I don’t even know which direction is up at this point. What I do know is I have 20+ applications that haven’t been answered yet. I’m submitting more daily. And I’m pushing through with a smile taped on my face, and a kind tone in my voice. I just don’t know at this point.

500 Internal Server Error

Permission denied, please try again.

2020-10-20T10:23:00-07:00

Permission denied, please try again.

I’m at this odd stage in my career that I’m not sure how many people resonate with. I don’t have any developer friends, and most of my network is mostly comprised of security professionals who barely manage to write basic javascript, let alone understand the intricacies and elegance of OOP.

I’ve enough years experience to qualify for senior and lead level roles, yet I feel like over the past year my skill set has stagnated because I maintain a legacy codebase with very few new feature additions. The major work that I could do was completed late last year, and things have been running relatively smoothly since then. Any significant changes are for naught now as the codebase is being retired with the new year.

Despite that, I’ve applied for countless roles and interviewed for a handful of them. One such position seems to have all but evaporated (gotta love enthusiastic head-hunters that keep pushing the next round out), while the bulk of the others have either been straight denials, ghosts, or I’ve consciously pulled myself out of the pool simply because of blockers in the code challenges.

While talking with a coworker, I expressed this uncertainty — can’t quite call it a fear as there is only a perceived threat, but I can’t quite pin down the word for it otherwise. It almost feels like I made a mistake a year and some change ago, accepting my current role. While not entirely my fault for not realizing the gas light which was illuminating this new path for me, I take ownership for not reading between the lines enough.

On an average week I’m lucky to write code 10% of the time, and of that time, I’m converting Word documents to HTML — glad to say all those years of abstract OOP are being put to good use writing markup! I had a project for another department that my manager pulled me off of after 30 hours because of managerial politics. That project was subsequently outsourced.

I’m being shoe-horned into a support role that I don’t want anything to do with. Yet, every day I figure out how to better muscle my career in the direction I want to go through seeming insubordination, relationship building, and blatant disregard for things my manager wants me to focus on. Those things benefit management, but do nothing to push my career in the direction I want to go. Managers are supposed to help subordinates achieve their career goals, not railroad employees into roles they don’t want.

Regarding those interviews

One interview was for an “Application Security Engineer” role. That’s exactly the title I want, with the assumed responsibilities and work. Mind you, this company labels their pen testers with that title. They’re not doing appsec at all, as I came to find out during the interview. Sidenote: pen testing is only part of appsec, not all of it. Further, the interviewer seemed to be mocking me. Software developers don’t apply for infosec roles, he said. Only reason I got the interview was he was intrigued by my resume. The experience felt like a scene from Dinner with the Schmucks.

The next proved the power of networking does work, sometimes. This was for a role as a backend engineer using Ruby on Rails. That’s exactly the kind of role I’d love to pivot to at this point as PHP is great, but after so long it feels like I’ve become a pariah — PHP developers don’t know how to write code according to the industry. I guess this one proved that assumption well. The initial interview went well enough as I got to the coding challenge.

It went smoothly until it didn’t. I hit this one last blocker — something simple that I could easily do with PHP, but the ActiveRecord design pattern abstracted something seemingly simple in such a way I couldn’t figure out how to get it to cooperate. I just needed one value from a one model to appear in another model’s view. That’s it. I had exhausted the top end of the time limit they said it should take someone to do the challenge, and I wasn’t making anymore headway. I pulled myself out of the candidate pool, disheartened.

Finally, the last seemed like an excellent fit. Laravel backend, Vue frontend, at a vibrant startup with a ton of runway and a passionate team that cares about their mission. I care about their mission, too — it hits close to home. The first round was incredible, and we had to make a conscious effort to keep on time as the conversation was like chatting with an old friend. Then round two came. I was speaking with the lead developer and things seemed to moving great until he asked me what I’m passionate about.

When I said I’m passionate about security and would love the opportunity to mentor developers on writing secure code while positioning myself to lead security efforts in a thriving startup, he killed the interview. Said I should apply for those types roles instead and best of luck. Rejection for one’s passion isn’t a bad thing, is it? Doesn’t change the sting. That one hurt, like I’m doing something wrong as a developer.

Final thoughts

Based on this, I’ve tucked tail and decided being employed with some job security during economic downturn, a pandemic, and surely upsetting election year is better than dreaming of greener pastures for now. I’ve decided that if I want a Rails role, I need to build some stuff with it. Get really familiar with it. Take some time during my onslaught of meetings to actually write code. Maybe try to contribute to some open source projects so I can get a better understanding beyond to-do lists and recipe apps. Maybe do this until I hit the unofficial two year commitment I gave my manager and try the job hunt again.

Perhaps by then this phase in my career will feel less pubescent, and I’ll actually feel like the senior engineer I qualify for instead of the one that I feel like right now. I just have to find the key to unlock the gates which others keep, and get back to creating.

reformat

2020-03-29T14:12:00-07:00

reformat

In the midst of attempting to get Plex working again, I discovered that apparently 60GB of space was not adequate for the system to do what it needed to do. I had installed debian 10 a few months back after running on debian 9 for a few years. At the time, I had reasoned to leave the debian 9 install alone as well as continue to leave an old install of Windows 8.1 installed (For photoshop/illustrator/traktor), plus an even older Gentoo install. My thoughts were in case I ever had to boot up into Windows for design work or if I hadn’t backed up absolutely everything in the other envs, they’d still be there. Hi, my name is tj0 and I’m a data horder.

I decided that today would be a great day to go ahead and deal with this issue. Saying goodbye to windows, gentoo, and debian 9, and setting up debian 10 again, just with way more space. I figured I would document this process so that maybe someone else will be able to reference this for establishing their own environment.

kill it with fire

I’m running on the assumption you have a bootable USB ready. If not, download the latest ISO and run:

dd if=/home/tj0/debian.iso of=/dev/usb

Replace /home/tj0/debian.iso with the path to your downloaded ISO and /dev/usb with the path to your USB drive. I’m not covering this in depth as I assume you know what you’re doing.

Next, reboot your system and make sure your BIOS is set to boot from USB. Again, I’m assuming you know your own environment well enough to handle this yourself. I chose to use the graphical installer, for expedience. In my case, I selected the option to use the entire disk with separate /home, /tmp, and /var partitions with an encrypted LVM. This way the drive will be encrypted at rest, just in case anything warrants that necessity. Security is important, mkay.

Go grab a beer and find something to do, it’s going to take a while as the installer will overwrite the disk with junk, and a 1TB disk is going to take a while to get through this. In my case, I have a secondary system so I hopped on IRC and cracked open VS Code to write this. YMMV. Anticipate it taking a while, either way.

re-establishing your comfort zone

Ah, my least favorite part of all of this. Doing a fresh install is awesome because it provides you a green field to do whatever you want. But, when you’ve been doing development and security type work for long enough, you know what you like. In my case (like many others) I set up a public git repo with all my dotfiles so that at least it’s not a completely devastating process to get back to that sweet place of comfort.

This round I’m debating going with fluxbox again. I was running xfce, but it doesn’t offer the elegance and simplicity of a super lightweight window manager. While this is still up in the air, I’m also split on using i3, as it seems all the cool kids are using it now. I’m also a fan of tiling WM’s, although I haven’t used a true tiling WM in some time. The end goal is to have a fluid UX when switching between my work system (Mac) and my home system. While the terminal is the same (zsh ftw), it’s important that much of the behavior is the same. This reduces cognitive load and frustration when hacking at home vs at work. The biggest thing of all: it has to just work. I’m far past the age and time allowance where I can continuously tweak shit and fix breakages between updates (coughGentoo :(cough). I need this environment to behave as I expect, not be easily broken, and just work. Patience in this regard is thin.

As a general package list of what I require:

zsh
conky
tilda
VS Code
Android Studio
node
ruby
python3
php7.x
mariadb
postgres
redis
irssi
tmux
screen
vim
plexmediaserver
expressvpn
docker
virtualbox
gtk3
nmap
burp
wireshark
metasploit
jtr

One of my plans this round is to actually optimize my kernel for this environment. By default debian configures a very generalized kernel. While this doesn’t impact usability, as only modules are loaded as they are needed, it does lead to a bunch of extra cruft on your system that’s not needed. I haven’t noticed any significant performance impacts, but this round I want to make this system as stable as possible going forward. I’d also like to use the nvidia chip my system has versus the discrete intel graphics – this has historically been a real pain to get functioning properly as my board is an optimus-capable board and with the changing monitor configurations I have, shit gets complicated fast. In addition, it’d be nice to be able to use the CUDA functionality as I do a lot of CTF’s, and cracking with jtr could probably be a hell of a lot faster. It would also be nice to be able to use hashcat and similar, which require a dedicated GPU instead. I have no need for wine or any type of windows emulation; if I need to tread into that trash env I’ll spin up a VM.

covid

2020-03-25T18:16:00-07:00

covid

In December 2019, China experienced an outbreak of a new virus in the same class as SARS. Within a matter of months this virus has infected every country on earth, and projections indicate that hundreds of thousands are going to die in the best case scenario. Within the past two weeks, life in America has been completely changed. I’m sure you know all of this already as anyone that’s over the age of 15 is being bombarded with minute by minute news. I just wanted to take a moment, and write a post now that I have time to get one out.

finally fully remote

Since I started with my current employer I’ve wanted to be fully remote. Due to some arbitrary rule about me needing to be on-site three days a week that hasn’t ever come into full fruition, until this moment. I’m eight days into fully remote, and in these eight days I’ve achieved more than I have over the past two months working in office. I’ve saved $200 in parking and lunch fees; I’ve decreased my caffeine intake by several hundred milligrams a day; I’m even sleeping better. However, that means little due to some corporate decisions that have exponentially increased the stress regarding the future of my family.

I took a few hours yesterday, and finally took care of a big chunk of the cleaning I wanted to get done in my home office, and set up a more permanent working area for my work system beside my daily driver. Now if only I could figure out a way to use the same keyboard, and toggle between the two systems it would be perfect. I’ve also been focusing on learning more react native as I’m working on building a couple of apps which I’d love to see in a native format instead of the standard web apps I’ve built for the past decade.

setting guidelines

The hardest adjustment has been getting my children, and significant other to understand that when I’m in my office, I am to be left alone. I send a text notifying of meetings with the hope that distractions will be bountiful to keep the children quiet – this works 50% of the time. The normal distractions are no more significant than normal, albeit I’ve spent a bit more time on twitter because, well, that seems to be the only real-time feed of current information around this crisis coming directly from front-line workers and scientists.

I think the biggest thing with working remote is laying out a clear routine. Sure, I spend just as much time in my office at home as I did with my commute to the corp office, but I cut my work off at 17:00. I use the nex two hours daily to focus on my side projects. I have noticed that I’m not getting up as often as I should, so not taking breaks (not uncommon for me normally), and I’m forgetting to eat. Perhaps it’s the sheer level of stress this entire situation has everyone under right now, and I’m just not as quick to pick up the healthy, distractive habits as others.

full lockdown

As of an hour ago, Washington state is officially under a shelter-in-place order. This means you can be charged with a gross misdemeanor, and held liable for up to $1,000 in fines, and a year in jail. Now my hope is they truly enforce this. What I’ve seen over the past days is people are simply not taking this seriously, and may not until someone they love, or themselves, is directly affected by this virus. I’m not sure if it’s escapism, avoidance of grief, or the good ol American sense of rebellion, but people need to stay home. Period. We’re in this for the long haul, and many people have lost their jobs. If you’re one of those affected by job loss you have no reason to be driving around, burning fuel and spending money right now. Take your ass home, and stay there.

While I’m expected to still work 40 hours a week for the health of the company, I’m taking this opportunity to catch up on chores, do a very thorough spring cleaning, get a dump load ready, fill the garden with seedlings, and try to finally get some solid commits put into these side projects I’ve had running for months. Right now is a great opportunity for everyone to learn something new. Hell, get to know those you care about better than you ever have. The mortality rate of this illness is absolutely terrifying, and we will all be impacted both economically and physically by this. The psychological trauma is going to change us as a society. We need to make the best of this situation.

That being said, I do intend on monetizing one of the apps I’m working on. I’d love for it to grow into a business at some point, though we’ll see how the initial versions work out. A lot of people would say with the economy crashing, it’s a terrible idea to start up right now. I say fuck that. By the time this exits beta, the swell will be building, and I hope to ride that next wave up so never again will the wellbeing of my family be compromised by the control of some CEO that wouldn’t recognize me on the street.

this sucks

A lot of this experience has been a brutal emotional roller coaster. I’m witnessing a lot of people deal with grief for their first time. I’m (un)fortunate enough to have experienced witnessing my family die off as I grew up from a young age, so I’m all too familiar with these emotions. It doesn’t change the fact that the uncertainty of this situation is terrifying, gut wrenching, and surreal. The best thing about this is we will get through this, and never be the same. Hopefully for the better.

My hope is that American society finally sees where the federal government places their priorities, and votes for representatives that will serve the people. I hope that we as a society will replace the value we place in money into intelligence. I hope we come out of this being more conscientious about those around us, and how our actions have a ripple effect. We have this great opportunity, right now, to reset the status quo, and create a real future for America. No more of this bullshit red vs blue fighting, partisan politics that all end in zero sum. I may be delusional though. I wish I had a happy ending to this story, but as of right now, we’re still in the middle of it. Stay safe. Stay healthy. Hold those that matter to you close, but only after washing your goddamn hands. Thanks for reading.