[Courses] [Careers] Computer Security career path

Elwing elwing at elwing.org
Fri Jan 28 03:01:29 EST 2005


This might get long and rambling, so the first paragraph is the bare 
minimum, and if you want more details, continue reading :)

The short story:

Started with my first computer at 3, went to a high school with no 
computers, went to college, got a job as a sys admin while in school. 
Went to grad school, worked as a sys admin parttime there.  Got hired on 
by Foundstone, learned lots of stuff, took another job with a small 
consulting company.

The longer version:

My dad worked in accounting, they like crunching numbers fast, so he 
always had access to computers, and once I showed an interest in them, 
he bought me one.  From then on I always had a computer, technically it 
was the family's computer, except I was the only one who used it.  We 
moved to a small town in south Texas, and the school had no money, so we 
had no computers.  We still had typewriters for our typing classes (this 
was 1992-1996, so not that long ago).  Friends and I used computers 
outside of school though, and I was introduced to BBSs (until my parents 
discovered that the closest BBS was a long distance phone call).

I got lucky living close to a university, they offered something called 
TexPREP - Pre-Freshman Engineering Program 
(http://w3.panam.edu/~texprep/)  I spent 3 summers in High school being 
introduced to various types of math, engineering and computer science. 
This is where I learned that I could "do computers" for a living.

I went on to graduate from high school, and started at Texas A&M 
majoring in Computer Engineering.  I later changed to majoring in 
Computer Science and minoring in Electrical Engineering, mostly because 
I could take the chip design classes that I wanted to, without having to 
also take Statics and Thermodynamics :)  Against the wishes of my dad, I 
found a job as a lab assistant helping answer questions about FORTRAN. 
I also had my first introduction to UNIX, and I was hooked.  A guy I 
dated introduced me to Slackware, and I've been a unix convert ever since.

That first summer, I worked as a "temporary employee" on the graveyard 
shift babysitting two AS/400 minicomputers.  They were OK, I wasn't 
terribly impressed, but it was work, it paid, and I could study while I 
was at work - and be wide awake for the 7:30am class I had signed up for :)

In the summer of '98 I accepted an internship with INRI - now part of 
Northrup Grumman.  I did some software development on Windows NT, 
porting their existing software from HP-UX to NT.  I was doing mostly 
GUI work, and while I was OK with the job, I wasn't happy for multiple 
reasons: 1) I was working with windows, 2) I discovered I have no 
concept of design, so my GUIS never looked "right", and 3) I discovered 
that while I like coding, it's not something I wanted to do every day 
for anextended period of time.

At the end of the summer, a friend recommended me for a "programming 
assistant" position with the math department at A&M, and I started 
working with them.  I was basically a jr sysadmin with some programming 
thrown in.  I learned a lot about Solaris and Red Hat, and basic 
adminning skills.  I loved it!  Through this position and the remaining 
classes I had, I developed an interest in security.  Primarily host and 
network security, and I took every opportunity to practice my skills.

I also signed up for a graduate level crypto class, which was 
interesting, but a struggle for me since my math background wasn't the 
strongest.  Luckily, I knew exactly where the professor's office was, 
and he was willing to answer a lot of questions - working in the math 
dept had it's advantages.  At this time, I also started taking some of 
the more theoretical computer science classes, and discovering that I 
really didn't like them, kinda sterring me away from "traditional" 
computer science.

My dad was big on education, and once I finished undergraduate, I had 
already been accepted into graduate school at Carnegie Mellon in their 
Information Networking Institute (INI).  The degree of Master of 
Information Networking consisted of Computer Science, Electrical 
Engineering, Business (ick) and Public Policy classes.  I figured, well, 
I like most of it, there's only two classes required in the "business" 
part, I think I can handle this...

I handled most of it.  I went through your stereotypical hell first 
semester.  It was both fun and exhausting at the same time.   I was 
"working" this semester as an admin.  I say "working" because it was 
only 10 hours a week of required work, and usually, we only ended up 
wokring about 3-4 as was needed (I ran the Linux systems, it was a lot 
less work for me :) )

In the following spring, summer and fall, I worked on my thesis and TAed 
for several classes: two Open Source (Linux and Apache) graduate level 
classes, and two undergraduate classes: Java and C.  I got lucky with 
the C class.  I had worked for the professor for a while with his Java 
classes, and he trusted me, and he also ended up having surgery and was 
out for 4 weeks, and I "took over" the class for those 4 weeks.  I 
discovered how much I really enjoy teaching that semester.

I won't mention my thesis other than the experience was miserable, and 
I'm not sure I would ever do it again, primarily due to my advisor.

I finished all my classwork, but not my thesis, so I took a programming 
job at CMU, and I hated it.  I just didn't fit in very well with the 
personalities of the group, and it was extremely nerve wracking.  I did 
get a lot of experience working with network routing protocols, and 
TCP/IP though.  I had continued work on a friend's thesis which allows 
you to take an active TCP connection, "pause" it, and restart it with 
one of the hosts being changed. 
(http://www-2.cs.cmu.edu/~softagents/migsock.html)
I wanted out of this environment more than I could imagine.  I was even 
considering working jobs I knew I wouldn't like, but could do, just to 
be out of there. Luckily, an opportunity came up.

Other students in our program had finished their thesis a semester 
before we did, and one of them was working for Foundstone.  He referred 
me, and they made me an offer to work in DC.  I did penetration testing, 
teaching other people how to crack into machines (the Hacking Exposed 
classes), host configuration reviews, and some source code reviews.

I really enjoyed working for Foundstone. I liked the work, I liked the 
people, but I really hated the travel.  I was a consultant, and we'd be 
travelling about 2 weeks per month, sometimes more, sometimes less.  I 
did it for almost a year, but it took it's toll on me.  I wanted to be 
home to play with my boyfriend and my cats.  I started sort of looking 
for a new position, I wasn't in a hurry though, and I figured I'd wait 
until I found that "perfect" job.  My boyfriend was also looking for a 
job at the time, and I'd scan the Washington Post for positions that he 
might be interested in, and I found one titled "Computer Hacker wanted".

I was extremely intrigued, and I applied.  The President of the company 
sent me an e-mail about two days later wanting to set up an interview. 
The company was Gemini Security Solutions, a small consulting company 
outside the city.  They specialize in PKI, but do software development, 
documentation development, security audits, and pretty much anything 
that has to do with computer security.  I was up front at the interview, 
that I was mostly happy with Foundstone, and I was putting feelers out 
to see if I could find the "perfect" job.  I was also upfront about why 
I was thinking about leaving Foundstone.  I don't mind *some* 
travelling, but the 1-2 wks/month was a bit much.

He told me a lot about the company, what he wanted to do with it, where 
he wanted it to go, how he wanted to get there.  I thought that was 
extremely important because when I interviewed with him, there were 3 
employees including himself :)

I thought about it long and hard.  I was leaving a stable company with 
good benefits, good pay, good people, and going to an unknown smaller 
company, not so great benefits, and unknown stability.  I decided to 
take the chance, and I'm so glad I did.

I've been here for almost a year and a half, things are going well, I 
still like my job, I love the people I work with - kind of important in 
a small group, and I couldn't imagine working anywhere else now.  Some 
of the highlights of the environment: very casual - shorts, jeans, 
t-shirts - unless we're at a client site or clients come visiting, then 
it's usually business casual.  Relaxed work hours.  As long as I work at 
least 40 hrs/wk and get my work done, I can pretty much come and go as I 
please.

The only bad thing about the job is it's in Virginia, I live in Maryland 
- it's a 35mi drive one way, with public transportation not an option - 
it just doesn't come out this far.  Moving to VA might be in the future, 
but I tend against it because of politics and a nesting complex :)

Someday, I'd love to try teaching at the university level again, but I'm 
in no rush.  I'm currently in the part-time faculty pool at the local 
community college, so I may get to teach one or two classes at some point.

I had also flirted with going to law school at one point, enough that I 
had taken the LSAT to get in.  My scores are good for another 3 years, 
so it may still be possible...


Lessons learned:
1) Who you know is more important than how you answer job ads.  All but 
one of my positions was obtained via people I knew. Network, Network, 
Network!
2) Sometimes you gotta get out of a position no matter what it takes.
3) Smaller companies have more leeway in the environment than in pay and 
benefits
4) There are some things you may be good at, but you don't particularly 
enjoy.



Elwing









More information about the Courses mailing list