Plans for March 2014

Hash: SHA1

Dear friends,

I've told some of you about my big plans in March, but I wanted to write a big open letter to everyone for good measure. When I graduated college, I feel really silly for not sending an e-mail to everyone I knew telling them that I had graduated and was looking for a job. Now that I'm switching careers, I thought it'd be wise to send an e-mail. This time I'm not looking for a job.

I'm leaving the security industry in a few months to pursue independent research in nanotechnology. It's taken a long time for me to achieve my goal of feeling confident about my financial situation so that I can pursue research without spending years in academia as a grad student or as a researcher working on someone else's project in industry. It's not that I think those things are bad, in fact they can be great, just not a good fit for me. I've been very independent for pretty much all my life and I'm impatient waiting for nanotechnology which I predicted would be in full swing years ago. If you're not familiar with nanotechnology, there's a lot of very cool science going on which is headed toward the molecular scale, smaller even than Intel's new 14nm resolution CPUs. Applications are wide-ranging and could change the way we make things. Not just computers, not just medicine, and not just solar panels. It's the reason I got my Bachelor of Science in Physics and had I been smarter about it, I may have gotten a research job back then and be where I am right now but with 10 years of research behind me. So this is me righting myself.

If you are familiar with the nano scale and nanotechnology, you know that the applications are huge, but the current state seems far away from the assembler. Current applications are thin-film solar panels (Nanosolar went out of business this year), experimental medicine, and consumer goods.

During my study and research, I'll be documenting the things I have done that actually made it possible for me to progress on my journey. The first steps have already been done. The degree in physics certainly helped, but I don't think anyone needs to spend the time and money on a college education if they can teach themselves. The standard text in the field is Nanosystems and can take a long time to read. Before you read it, you will need to understand physics, chemistry or engineering, a few years of math won't do. A few years of math wouldn't hurt though since there are some heavy equations that are made very simple if you've spent years solving equations like them. Get past the book and you'll be pretty far into nanotechnology, about as far as I will be in March. There's an open source piece of software that does all the computations in the book called Tinker, which was written in Fortran (not kidding). I will consider translating the code to C, C++, and Python as I start to use it and I intend to release some of the code open source as I reach certain milestones. I owe a lot to this link:

The differences I have seen in academia and computer security are pretty striking. Most people in the computer security industry don't have computer science degrees and most people with computer science degrees do not become hackers. If you haven't noticed, hackers present talks at security conferences without publishing peer-reviewed papers to journals. Some hackers write papers, but most just release source code to their tools or exploits. Some can't or won't publish source code at all because getting permission from their employers is difficult. My exploit for LanRev (aka Absolute Software) will never be published despite the vendor not fixing the vulnerability for years.

Phrack and 2600 are great examples of old school zines that hackers publish to. These articles are very different from the way the academic community operates. The academic community on the other hand doesn't have many free introductory talks designed to improve the field. That job is left mostly to professors who charge very high rates of tuition. My intention is to switch my focus to the scientific community and bring along some of the ad-hoc nature of the hacker community with me. While I will still publish peer-reviewed papers in journals, I think it may also make sense to meet monthly (like 2600/2621), drink a few beers with colleagues (like Thursdays at the bar), and present amateur hypotheses and PoC at conferences instead of turning our noses at people who don't have a Ph.D. I have always valued hackers opinions whether or not they have a degree and I will always keep an open mind whenever I see the rigorous pursuit of scientific exploration. The disdain that most hackers have for CISSPs who lack skill and vendors who sell snake oil shows the general meritocracy that dominates hacking usually for the better. For those who decry elitism in the hacker community, you are not hanging out with the right group of hackers. The Neg9 crew I've spent years hacking with are all very humble and supportive of people who come to learn. On the other hand, hacking is rife with cronyism and needs to use conferences better to the advantage of those who have the skill but who lack the social skills to enter the community. Then we just need to get the outcasts to come to our conferences.

Perhaps my notes or a paper I write might inspire others to join me in a quest to understand and create the tools that will shape the future. Certainly having my friends ask me what I thought about the singularity has motivated me to work toward a point in time when I can seriously look at the stuff that needs to be done and take a crack at it.

When talking with my friend Mark about this, I realized that the burning question in my mind is: why has no one taken the research from K. Eric Drexler's Nanosystems and created something more complex than a motor?

For now, I have no business plan or intention to seek employment in nanotechnology or elsewhere, though I will entertain offers that involve researching nanotechnology. If I find a business plan that involves other people, I will try to keep people informed. Since most people don't like spam from startups based on having met a person, I will make such a list opt-in and not opt-out. You are probably not on the opt-in list if you are not on the to line of this e-mail.

Leaving my high paying job at Leviathan will also allow me to exercise my superpower, not paying taxes (inside joke). Since I am a pacifist, paying taxes is something I do not do willingly, and therefore after March I will cease funding the war machine and surveillance apparatus that America has built. I recommend the same to anyone who can. Taxes are of course a consequence of earning money in a society with a large tax-based government, but civil disobedience is a duty of having a conscience in a society that violates your values. I feel that harming the economy of our country by not earning money and not buying as many things will benefit everyone in the long run, especially myself.

During my short time in the computer security industry I learned a lot and I certainly enjoyed the company of my coworkers and friends. When I first arrived I was pretty naive about the nature of the industry and I thought that over a few years, automated tests (injection, static analysis, and fuzzing) and manual testing (hacking) would drive the status quo quickly toward security. How wrong I was. Many businesses are too large for their security posture and have problems that have emergent qualities. They need to spend years fixing the problems they created years ago, almost every year their debt grows. If we had awesome tools that any programmer could use effectively, if we had solutions ready to be implemented by any competent IT admin, and if we had the ability to switch to open source systems running with least privilege, we would stand a chance at achieving this lofty goal of rapid security implementation. So how does one person or a thousand hackers approach this problem? Education? Policy? Law? White hat hacking? Black hat hacking? Bug bounties? The answer is not easy and it certainly isn't law. I am leaving the field in capable hands though I am certain that money, NDAs, and prosecution of hackers and whistleblowers under the CFAA's vague terms have not helped the situation.

Over the years I have noticed one issue that has significantly impacted my enjoyment of being a white hat. Confidentiality agreements stop infosec people from talking about an incredibly important part of their lives. It's an operational security requirement and I understand why it's there, but I feel that the costs outweigh the benefits in the long run.

What I would like to see in my utopian vision of infosec is a more employee-friendly confidentiality policy. Since clients care a lot about their reputation, they don't have to talk about things that would harm their reputation or the reputation of their vendors. Since vendors are being paid, vendors would have an agreement (not a legally binding contract) to leave out the details and results when discussing what they do. This would allow people to talk to their family and friends about specifically what they do for a job. This would also encourage discussion amongst competing infosec companies about the micro and macro of our business. Hypothetically, let's say I'm working on a boring web pentest that lasts 2 weeks. Currently, I can tell my friend that I am indeed working in infosec at Leviathan. In my utopia, I would tell my friend that I'm working on an easy web pentest for company X. They use such and such technologies and I am using Burp to get full coverage. I would not be allowed to tell them that I found a vulnerability or what strings I've been putting in for the past 10 hours. Perhaps this utopian vision is not possible, but in the spirit of free information I feel like it is a matter of time before an infosec company adopts a more reasonable confidentiality policy.

In the future I plan to hack a few pieces of software that truly deserve it and I will publish full disclosure with no regard for the security of the users. This decision comes because I want to see security improve. I want programmers to fear me pointing my gaze at their software. And unlike in the past, I will never ask anyone for money for this service and I will not accept money in exchange for signing an NDA about things that should be public knowledge. I expect that I will publish more computer security-related papers as a scientist than as a white-hat hacker. This is of course what happens when a hacker no longer spends the most productive hours of his/her week doing work under NDA.

I hope we'll meet at conferences and around town. Of course my budget will stop me from going to many conferences, but being busy also stopped me from going to several security conferences too. Being unemployed will allow me to be more flexible and will afford me more free time, so call me up if you want to hang out or have coffee. I plan to do a little bit of travel since I won't have to be in any one place. If you know anyone that might let me couchsurf a while in another city, let me know.

The real reason I'm writing you all in December and not February is because in March I'll be looking for a cheap place to live. I want to spread my budget as far as possible, so suggestions for cheap rent would help a lot. I'll be experimenting with a low cost fresh vegetable diet so if anyone wants to share some meals, even better. I prefer the city, but would be willing to consider rooms, couches, or treehouses anywhere.

TL;dr I'm done with infosec, I'm going to do science. So long and thanks for all the fish. Give me a call or send an e-mail. I'm looking for a cheap place to live.

I appreciate any response, even a "TL;dr. Get a job, hippie."

aka. Joel R. Voss
Oct 17, 2013 - Dec 19, 2013

This e-mail will be available on my blog as an open letter which I will not link out of respect for those who hate self-promotion. If you don't know where my blog is, email me.

Version: GnuPG v2.0.22 (GNU/Linux)