In the past, my posts for various jobs have generally been the result of some curiosity, in the vein of what’s the deal with PATH, the program that formats man pages is HOW old, and what does good password hygiene look like. (Yes, I blogged in my previous life as a content strategist; no, I’m not digging those up right now. Have at it if you want.) My first post for my new job at Nylas (well, newish – I’ve been here almost eight months now) is the result of some longer study, which makes sense. One of the reasons I sought a new job was project longevity and continuity. Working as a consultant exposed me to so many new ideas and situations, but I wanted to see what I’d learn once I got to stay put for a while.
I won’t say every day has been easy, but I will say that I’m really pleased with what I’ve been doing. I get to point at a new program and essentially say “I WANT IT,” and then it’s mine. (It’s helpful when GIMME intersects with your manager’s need to delegate.) Oh, you want Elasticsearch, Breanne? HERE YOU GO. No regrets! I’ve dug deep into the weirdness of AWS IAM, moved a ton of stuff into Terraform and set our style guidelines for what good Terraform looks like, made my first EU AWS resources, learned some Ansible, got to apply Python to systems management with Boto, weirded out with Bash, and gotten better acquainted with monitoring. I’m chuffed.
A thing I gave the team in return is structure. In my work post, for obvious reasons, I didn’t go deeply into what I had previously learned that was useful here. However… what I’d previously learned was incredibly useful here. I became fatigued from new situation after new situation, but it was incredibly gratifying to get to use those same skills to make a comfortable, regular set of meetings and other expectations that I actually got to benefit from in the long term. It felt good to start good sprint planning, standups, and retros for clients, but it felt amazing to make them with myself and my ongoing teammates as the beneficiaries of this stuff. And do you know, I was pretty good at it after going through the process several times before. Fortunately, I worked with people who trusted me – and, perhaps even more important, made it clear that this was not exclusively my job and would not be solely my responsibility as time marched on. It is not extremely surprising, I think, that after setting all of this up and spreading responsibility across the team… I’m backing off the glue work for a bit, because the structure is in place for me to computer more exclusively. I’m very excited.
It also pleases me that this is all essentially another kind of automation. I love automating infra stuff – fully automated deploys and regular checks on systems and updating spreadsheets and all of the boring stuff that computers can do better than we can. What I wanted here was essentially automation in interactions, a regular cadence of events that freed us from having to reinvent structure unnecessarily, so we all had set expectations and were free to focus on the things we actually care about, that do require human interaction and innovation. I’m happy to say that it worked.
I wrote this post in part because I was proud of what I did and wanted to say so publicly. However, I also wrote it because I know the problems I had – meetings without set structure, unclear expectations between teams, irregular schedules that cause more confusion than they cure – are very common, and I hope this post helps even one other person set themselves free from another agendaless meeting, to remember that there’s something better on the other side. I’ll see you there, timer in hand, politely reminding everyone that lunch is soon, and we’d best wrap it up.
I learned about /etc/services in my first year of engineering. I was working with another engineer to figure out why a Jenkins master wasn’t connecting to a worker. Peering through the logs and netstat output, my coworker spied that a service was already listening on port 8080. “That’s Jenkins,” he said.
“But how did you know that?”
“Oh, /etc/services,” he replied. “It has all the service-port pairings for stuff like this.”
Jenkins is not, in fact, in /etc/services, but http-alt is listed at port 8080. The more immediately relevant answer was probably “through experience, because I’ve seen this before, o junior engineer,” but his broader answer got me curious. I spent some time that afternoon scrolling through the 13,000-plus-line file, interested in the ports but especially curious about the signatures attached to so many of them: commented lines with names, email addresses, and sometimes dates, attribution for a need as yet unknown to me.
I got on with the business of learning my job, but /etc/services stayed in my head as a mystery of one of my favorite kinds: everyone was using it, but many well-qualified engineers of my acquaintance had only partial information about it. They knew what used it, or they at least knew that it existed, but not where it came from. The names in particular seemed to surprise folks, when I asked colleagues for their knowledge about this as I was doing this research.
This post, a longer counterpart to my !!con West talk on the same subject, digs into a process and a file that was once commonplace knowledge for a certain kind of back-end and network engineer and has fallen out of more regular use and interaction. I’ll take you through some familiar services, faces old and new, correspondence with contributors, and how you – yes, you – can make your mark in the /etc/services file.
What is it, where does it live
In *nix systems, including Mac OS, /etc/services lives exactly where you think it does. Windows also has a version of this file, which lives at C:\Windows\System32\drivers\etc\services. Even if you’ve never opened it, it’s been there, providing port name and number information as you go about your life.
The file is set up like this: name, port/protocol, aliases, and then usually a separate line for any comments, which is where you’ll often find names, email addresses, and sometimes dates. Like so:
ssh 22/udp # SSH Remote Login Protocol
ssh 22/tcp # SSH Remote Login Protocol
# Tatu Ylonen <email@example.com>
The most common protocols are UDP and TCP, as those were the only ones you could reserve until a few years ago. However, as of an August 2011 update to RFC 6335 (more on that later), you can now snag a port to use with SCTP and/or DCCP as well. This RFC update added more protocols, and it also initiated a change from the old practice of assigning a port for both UDP and TCP for a service to only allocating the port for the protocol requested, and just reserving it for the others, though they’ll only be used if other port availability dwindles significantly.
Incidentally, the presence of a service in /etc/services does not mean the service is running on your computer. The file is a list of possibilities, not attendance on your machine (which is why your computer is probably not currently on fire).
Going through the first 500-odd lines of the file will show you some familiar friends. ssh is assigned port 22. However, ssh also has an author: Tatu Ylonen. His bio includes a lot of pretty typical information for someone who’s listed this far up in this file: he designed the protocol, but he has also authored several RFCs, plus the IETF standards on ssh.
Jon Postel is another common author here, with 23 entries. His representation in this file just hints at the depth of his contributions – he was the editor of the Request for Comment document series, he created SMTP (Simple Mail Transfer Protocol), and he ran IANA until he died in 1998. A high /etc/services count is more a side effect of the enormity of his work rather than an accomplishment unto itself.
It’s cool to see this grand, ongoing repository of common service information, with bonus attribution. However, that first time I scrolled (and scrolled, and scrolled) through the entirety of /etc/services, what stayed with me were how many services and names I wasn’t familiar with – all this other work, separate of my path in tech thus far, with contact information and a little indicator of what that person was up to in, say, August 2006.
For instance: what’s chipper on port 17219? (It’s a research rabbit hole that took me about 25 minutes and across Google translate, the Wayback Machine, LinkedIn, Wikipedia, a 2004 paper from The European Money and Finance Forum, AMONG OTHER RESOURCES. Cough.) chipper, by Ronald Jimmink, is one of two competing e-purse schemes that once existed in the Netherlands; the longer-lasting competitor, Chipknip, concluded business in 2015. The allure of these cards, over a more traditional debit card, was that the value was stored in the chip, so merchants could conduct transactions without connectivity for their card readers. This was a common race across Europe, in the time before the standardization of the euro and banking protocols, and chipper is an artifact of the Netherlands’s own efforts to find an easier way to pay for things in a time before wifi was largely assumed.
There are, of course more than 49,000 others; if you have some time to kill, I recommend scrolling through and researching one whose service name, author, or clever port number sparks your imagination. Better still, run some of the service names by the longer-tenured engineers in your life for a time capsule opening they won’t expect.
Port numbers and types
Ports are divided into three ranges, splitting up the full range of 0-65535 (the range created by 16-bit numbers).
0-1023 are system ports (also called well-known ports or privileged ports)
1024-49151 are user ports (or registered ports)
And 49152-65535 are private ports (or dynamic ports)
Any services run on the system ports must be run by the root user, not a less-privileged user. The idea behind this (per W3) is that you’re less likely to get a spoofed server process on a typically trusted port with this restriction in place.
Ok, but what actually uses this file? Why is it still there?
getservent(), which reads the next entry from the services database (see services(5)) and returns a servent structure containing the broken-out fields from the entry.
getservbyname(), which returns a servent structure for the entry from the database that matches the service name using protocol proto
getservbyport(), which returns a servent structure for the entry from the database that matches the port port (given in network byte order) using protocol proto
setservent(), which opens a connection to the database, and sets the next entry to the first entry
The overlapping use of these routines makes service name available by port number and vice versa. Thus, these two commands are equivalent:
telnet localhost 25
telnet localhost smtp
And it’s because of information pulled from /etc/services.
The use you’ve most likely encountered is netstat, if you give it flags to show service names. The names it shows are taken directly from /etc/services (meaning that you can futz with netstat’s output, if you have a little time.)
In short: /etc/services used to match service to port to give some order and identity to things, and it’s used to tell developers when a certain port is off limits so that confusion isn’t introduced. Human readable, machine usable.
Enough about ports; let’s talk about the people
First, let’s talk about the method. Shortly after getting the acceptance for my !!con talk, I went through the entire /etc/services file, looking for people to write to. I scanned for a few things:
Email addresses with domains that looked personal and thus might still exist
Interesting service names
Email addresses from employers whose employees tended to have long tenures
Anything that sparked my interest
I have a lot of interest, and so I ended up with a list of 288 people to try to contact. The latest date in my local copy of /etc/services is in 2006, so I figured I’d be lucky to get responses from three people. And while more than half of the emails certainly bounced (and the varieties of bounce messages and protocols had enough detail to support their own fairly involved blog post), I got a number of replies to my questions about how their work came to involve requesting a port assignment, how it was that they knew what to do, and how the port assignment experience went for them.
I will say that the process revealed an interesting difference between how I’d write to folks as a writer and researcher (my old career) vs. how one writes questions as an engineer. As a writer working on a story that would eventually involve talking to people about a subject, I would research independently and only later approach the people involved; my questions would start a few steps back from what I already knew to be true from my research. This allows room for people to feel like experts, to provide color and detail, and to offer nuance that doesn’t come out if the person asking questions charges in declaring what they know and asking smaller, more closed questions.
This is… not the case in computer science, when questions are typically prefaced with a roundup of all 47 things you’ve googled, attempted, and wondered about, in the interest of expediency. This meant that my very second-person questions, in the vein of “how did you do this” and “what was the nature of your process,” sometimes were taken as some email rando not being able to, how you say, navigate the internet in a most basic way.
The more you know.
Happily, I got more than three responses, and people were incredibly generous in sharing their experiences, details of their work, and sometimes relevant messages from their astonishingly deep email archives.
bb, port 1984: Sean MacGuire
The first response I got, delightfully, was for the service named after my initials: bb, on port 1984. More delightfully, this turned out to be the port reserved for software called Big Brother, “the first Web-based Systems and Network Monitor.” Its author, Sean MacGuire, figured out the process for reserving a port after researching IANA’s role in it. At the time (January 1999), it was approved in 12 days. He described it as “totally painless.” Fun fact: Sean also registered the 65th registered domain in Canada, which required faxing proof of the company and making a phone call to the registrar.
The thing I started to learn with Sean’s response was how this was, at one point, pretty ordinary. Most web-based services restrict themselves to ports 80 and 443 now, in large part because a lot of enterprise security products clamp down on access by closing less-commonly used ports, so reserving a port for your new service isn’t always a necessary step now.
In which I am written to by one of the chief architects of the internet as we know it
The next response I got was from a little further back in computer science history. For context, I’ll tell you how I went about contacting people: back in December, after my talk was accepted for !!con West, I went through the /etc/services file on my computer and selected people to contact. I picked people whose email address domains looked like they might still be around, who worked for companies where people tend to have long tenures, or who were contacts tied to interesting-sounding services.
I did this across about ten days, which meant that, by the time I got to the end, I couldn’t have recounted to you the first folks I selected, particularly as I’d chosen 288 people to try to reach in all. Incidentally, about half of those bounced – not nearly as many as I expected.
This is all to say that I was a little startled to read this response:
> How did you come to be the person in charge of reserving the port
I designed the HTTP protocol
Which reminded me that I had indeed selected this entry as one worth diving into, when I was first getting a handle on this research:
http 80/udp www www-http # World Wide Web HTTP
http 80/tcp www www-http # World Wide Web HTTP
# Tim Berners-Lee <timbl@W3.org>
He was, I am pleased to say, impeccably polite in his brief response, and he recommended his book, Weaving the Web, which is such a wonderful look at finding compromise between competing standards and design decisions across dozens of institutions, countries, and strong-willed people. As he said, more information on his place within this work and that file can be found there, and if you’re at all curious, I so recommend it.
I also liked that some people had fun with this or considered it, as Christian Treczoks of Digivote, port 3223, put it, a “real “YEAH!” moment.” Barney Wolff, of LUPA, worked a few layers of meaning into his assignment of port 1212: “I picked 1212 because the telephone info number was <area>-555-1212. And LUPA (an acronym for Look Up Phone Access) was a pun on my last name. I don’t know if my bosses at ATT or anyone at IANA ever noticed that.”
Christian Catchpole claimed port 1185, appropriately named catchpole. He requested a low port number in the interest of claiming something memorable. He explained: “The original project back in 2002 involved a compact wire protocol for streaming objects, data structures and commands etc. While the original software written is no longer in the picture, the current purpose of the port number involves the same object streaming principal. I am currently using the port for async communications for my autonomous marine robotics project.” The original uses of many ports have shifted into computer science history, but Christian’s projects live on.
Alan Clifford (mice, port 5022) claimed his space for a personal project; approval took 21 days. (He, like several people I contacted, keeps a deep and immaculate email archive.) Mark Valence (keysrvr at 19283 and keyshadow at 19315) recounted his involvement thusly: “I was writing the code, and part of that process is choosing a port to use.” He ended up in /etc/services around 1990 or 1991, when his team was adding TCP/IP as an option for their network service a year or so prior, enabling Macs, PCs, and various Unix systems to communicate with each other.
Ulrich Kortenkamp (port 3770, cindycollab) was one of two developers of Cinderella, and he claimed a port in /etc/services to codify their use of a private port for data exchange. He added: “And I am still proud to be in that file :)”
Greg Hudson’s contributions date to his time as a staff engineer at MIT, when he became a contributor to and then a maintainer of the school’s Zephyr IM protocol (zephyr-hm in the file) and then similarly with Subversion, the open-source version control system now distributed by Apache. His name is connected to ports 2102-2104 for Zephyr and port 3690 for Subversion.
Jeroen Massar has his name connected to four ports:
He noted that AURORA also has an SCTP allocation too, which is still fairly rare, despite that protocol being available since 2011. He remarked, “[This] is actually likely the ‘cool’ thing about having ‘your own port number’: there is only 65536 of them, and my name is on 4 of them ;)”
I asked people how they knew what to do; some were basically like :shrug: “The RFC?” But others explained their context at the time. Mostly, folks seemed to have general industry awareness of this process and file just because of the work they did. (“I was the ‘Network Guy’ in the company,” said Christian Treczoks.) Some knew the RFC or knew to look for it; others had been involved with the IETF and were around for the formation of these standards. My anecdotal impression was that it was, at that point, just part of the work. If you were on a project that was likely to need a port, it was known how you’d go about getting it.
Who controls this file? Where does the official version come from?
Like so many things in the big world of the internet, /etc/services and its contents are controlled by IANA. The official version varies; what’s on IANA’s official and most up-to-date version deviates some from what you might find locally. The version of /etc/services on my Mac, as I’ve mentioned, is about 13 years out of date. However, people are still claiming ports, and you can see the most current port assignments at IANA’s online version.
On most Unixes, the version of /etc/services you see is a snapshot of the file taken from IANA’s official version at the time that version of the OS was released. When installing new services, often you’ll want to tweak your local copy of /etc/services to reflect the new service, if it’s not already there, even if only as a reminder.
However, updates vary between OSes; the version included with the Mac OS is not the most current, and how updates are added and communicated can vary widely. Debian, for instance, furnishes /etc/services as part of the netbase package, which includes “the necessary infrastructure for basic TCP/IP based networking.” If the included version of /etc/services got out of date, one could file a bug to get it updated.
To learn how /etc/services managed and how to contribute, the golden standard is:
No, seriously. The Procedures for the Management of the Service Name and Transport Protocol Port Number Registry has most of what you would need to figure out how to request your own port. While the process is less common now, it’s still regimented and robustly maintained. There’s a whole page just about statistics for port request and assignment operations. While this isn’t as commonly used as it once was, it’s still carefully governed.
RFC 7605, Recommendations on Using Assigned Transport Port Numbers, includes guidance on when to request a port). 7605 and 6335 are concatenated together as BCP 165, though 6335 is still referred to frequently and is the most commonly sought and cited resource.
How can you get your piece of /etc/services glory?
There’s real estate left to claim; as of this writing, more than 400 ports are still available. Others have notes that the service claims are due to be removed, with timestamps from a few years ago, and just haven’t yet.
If you have a service in need of a port, I am pleased to tell you that there is a handy form to submit your port assignment request. You’ll need a service name, transport protocol, and your contact information, as you might guess. You can also provide comments and some other information to bolster your claim. The folks managing this are pretty efficient, so if your request is valid, you could have your own port in a couple of weeks, and then you could be hiding inside of your computer many years from now, waiting to startle nosy nerds like me.
Despite the shift to leaning more heavily on ports 80 and 443, people are absolutely still claiming ports for their services. While the last date in my computer’s /etc/services file is from about a decade ago, the master IANA list already has a number of dates from this year.
So: make your service, complete the form, and wait approximately two weeks. Then cat /etc/services | grep $YourName, and your immortality is assured (until IANA does an audit, anyway).
And if you do, please let me know. Enabling people to do great, weird, and interesting things is one of my favorite uses of time, and it’d make my day. Because there are no computers without people (or not yet, anyway), and a piece of that 16-bit range is waiting to give your work one more piece of legitimacy and identity.
Thanks to everyone who wrote back to me for being so generous with their experiences, to Christine Spang for the details about Debian /etc/services updates, to the patient overseers of RFC 6335, and the authors of all the RFCs and other standards that have managed to keep this weird world running.
I write to you from beautiful and astonishingly cold Waterloo, Ontario, Canada, where the people are kind and the excitement is palpable. (Really – everyone’s excited about what they’re doing and about sharing it. It’s great.) I did a new talk during the morning session about what I learned from my life in editorial that applied to dealing with code reviews as an engineer. Slides to come; for now, I have a written-out version for you over at Truss.works.
In the meantime, enjoy a picture of me in a tuque provided to me by a kind-hearted organizer so I’d be slightly less likely to die on the trek between my Airbnb and the university. I like it here.
One of my favorite ways to learn things (to complement, you know, doing them) is writing about them. In fact, I have a talking coming up in, oh, less than two weeks that talks in some detail about just this. It is, in my opinion, one of the advantages to hiring me, to be both self-serving and accurate about it.
I wonder how many of Unsplash‘s image results for “container” I can use before we turn to another new, shiny step into the future. Here’s another one I considered using, but I decided to stay more in our vein of infrastructure, getting things done, and the bay.
I wrote for work! I love writing for work. This time, I got to write the first entry in our security series and talk about sufficiently complex passwords, how to store them, and how to manage them across time and breaches. (Bonus: my predilection for taking travel pictures of forbidding fences and danger signs wound up being really helpful in our quest to avoid trite security-themed clip art.)
This was an exciting one to write. We’re not a security company (in fact, we are infrastructuralists, in case you had not heard), but good, solid practices, including security in all its forms, do touch our work pretty often. (See: the conversations I have with people who work with my client periodically about how we cannot use AMIs made by outsiders, we cannot use Docker containers not created internally, and we need a really-no-seriously good reason to peer our VPC to theirs.)
However, like lots of people in tech or even tech adjacent, the people we love who aren’t in tech and aren’t so steeped in this stuff ask us for guidance in how to be safer online from a technological standpoint. My password post (tl;dr: get a password manager, change all those reused passwords, repent and sin no more) is the first; we’ll also be covering how vital software updates are, how treacherous email can be, and why ad blockers are good for more than just telling popups to stfu. We’re writing this series to have a good, reliable resource for us and for others called to do Loved One Tech Support so that even those not glued to their laptop for the duration of their professional lives can adopt good practices and not be totally hosed the next time some major company’s store of usernames and passwords gets breached.
I decided to go to DEF CON last year on a lark. I went to a WISP lockpicking event last June with a friend and coworker, who informed me that she was considering going, and oh, hey, did I want to come with? I’d heard of it before, but not in detail and not quite in the right context to make it sound like something I’d want to attempt. This time landed differently, though. (I blame having recently learned to use a handcuff shim.) I spent the evening after the event looking up flights to Vegas, hotels, and other research that suggested this was not a financially responsible move and not really very good timing either. Still, it stuck in my head, and I had to pull myself away from Kayak and its ilk and make myself go to bed later than was ideal.*
The next day, I mentioned it to a different coworker, who has a good balance of fun and financial responsibility. Since we were less than a month out from the event and I had neither transportation nor a place to stay, I expected her to talk me down and suggest that I try next year.
Instead, she told me she was going, and did I want to share a room? And that was phase one done – resolve achieved, bed secured, posse acquired, and only the small matter of airfare and time off to deal with. Fine fine.
Phase two was one I’ll call, “Oh, you’re doing to DEF CON? That’s… interesting.” This phase happened after reservations were in place, when I told friends and colleagues in tech what I was planning. The reactions tended to be similar: a mix of understanding why I’d consider doing such a thing and affectionate concern based on knowledge or experience of some shitty person or people in their past. These reactions came in a few flavors:
I went a few times but then had to stop [insert ominous look here]
I wouldn’t go there if you paid me, not any amount
I hope you enjoy yourself, but be careful (and you’re not going alone, right?)
You are not allowed to take any work assets with you on this trip
(This last one came from one of our bosses. We complied.)
Research nerd that I am, I looked up “How to DEF CON” but largely found articles aimed at, well, stinky boys. (#NotAllStinkyBoys, I know, but you should talk to other, more prominent bloggers about that if you want to shift those optics.) I did come away with some good, more general advice, most of which echoed what had been said to me already. Things like:
Turn off the wifi on your phone
Probably just keep your phone on airplane mode when you’re in the thick of things
Maybe keep it in a faraday bag, while you’re at it, come to that, and still wipe and restore it when you get home, because you never know
Just leave it at home, assuming home is in another state
Trust no ATM in proximity to the conference (though casino floor ones might be ok, heavily monitored as they are – but if you can get by without, do that)
Don’t bring your laptop; bring a burner if really must
Probably bring a burner phone too, really
Bring enough cash to exist on, if you can, and maybe don’t muck around with credit or debit cards (though opt for credit if you must, because they have fraud protection)
It’s more about people than the sessions
Go to parties and side events and games and whatever else crosses your radar. Here’s a good place to start getting a sense of what’s possible for the 2017 one.
All good and well, sure. What I didn’t find was advice to match the portents from friends based specifically on my situation as a woman heading to DEF CON. So, in the way of the semi-reformed content marketer that I am, I decided to put together my own resource. So, here you go: how I, a woman, an engineer, and a hard introvert with a low tolerance for dickheads, recommend approaching DEF CON.
Packing for DEF CON
The Las Vegas setting of DEF CON means that you’ll be walking between ovens and refrigerators most of the time. This is a great recipe for feeling a little uncomfortable and a little gross during most of your waking hours, but you can plan around this.
For general packing, here’s what I recommend.
Bring twice as many pairs of underwear as the number of days that you’re staying. Even when it isn’t warm in those big event spaces, it’s still close; you will appreciate the option to swap out layers without taking anxious inventory as you near the end of your trip.
Wear clothes that breathe. Beyond that, of course, wear what you want. Some women find it useful to go stealth in a hoodie and jeans; I found it oddly fun to be as dressy there as I sometimes am in normal life – but I also appreciated having options depending on the feeling of the day. Decide what will be more likely to make you feel comfortable in the context of a very busy, very distinctive conference, and you’ll be fine.
Excedrin. I’m headache-prone, so that’s a given for me.
Sleeping pills, if you roll that way. I like an OTC sleeping pill when I’m not sleeping at home. This last year, I, a person who lives alone for sanity-keeping purposes, shared a hotel room with three other people. It was worth cutting off any booze around ten so I could safely tranq myself to sleep and be both smart and sociable the next day.
And for your day-to-day pack, I suggest a not-small water bottle (at least 750ml), more snacks than you think you’ll really need, a hand fan, and a notebook and pens. You will learn about all sorts of weird shit, plus Twitter handles to follow, sites to look up, rad repos, and talks of yore. Have an analog way to record them for later.
Planning And Attending
Secure your tech.
See the earlier suggestion about burner laptops and/or phones and/or faraday containment devices. I learned while I was there that Bally’s told their entire staff to keep their phones off while working that weekend. I originally went on airplane mode for the first couple of days until coordinating with my friends got very annoying; then I used cell data only. Things went fine, but I plan to get a burner in place for this year. Figure that you’re going to be going fairly analog in the middle of a tech-centered conference, plan accordingly, and you’ll be fine.
An exception is if you want to participate in a CTF event or a tutorial – you’ll want a proper laptop for that kind of thing. Consider a Chromebook with Kali with no stored login information, with a plan to wipe it when you get home. And if you’re not sure of what a CTF is or are feeling a little daunted, this writeup of a rad engineer’s first one is pretty exciting.
If you do decide to bring a laptop, you can take your chances with official conference internet. Bear in mind that you need to set it up beforehand; go here for more details.
Walk fast, or make plans based on geography rather than strictly interest.
I don’t know how the rest of you manage to get to the talks you want, if they’re far away from each other. I sped across the Bally’s gaming floor over and over, from front to back, from side to side, from Vegas to Paris and back, going from a far-off upstairs meeting room to an upper-floor set of executive suites to a trio of enormous function rooms off of hallways made to look like a more restrained Versailles. I was a little more session-motivated than most people seemed to be (including the friends I traveled with), but the time between sessions made that difficult. If I didn’t walk fast and didn’t enjoy walking fast, I would’ve seen far fewer things.
Figure out where the water fountains are.
And keep that big-ass water bottle full. Plan on refilling it every couple of sessions. I’m not sure what it is about being around so many other people in close proximity that brings biological needs so much to the forefront, but it does. Routine dips in hydration or blood sugar become so much more pressing, even while surrounded by water fountains and stores only too eager to sell you supplies. Plan ahead, and your brain will work better for you.
If a party sounds cool, just sign up.
Lots of companies and villages and groups have parties, minicons, and other events. If you happen upon one that sounds good, and they request an RSVP, just do it (unless it’s a tutorial with a small capacity – then be cool, please). Everyone is dashing between five things most of the time while they’re there; might as well ensure your name is on the list.
Research sessions ahead of time; do multiple-choice selections in the moment.
(If you care a lot about sessions, of course.) To ensure you see more of what you want to see (because you will not see it all), I’d suggest culling possibilities ahead of time. I liked the app for this, as it shows you everything across the villages and the main con itself, and it lets you add competing sessions to your schedule for easy picking. There’s also the physical book you get when you check in – and the conference website, of course. Note everything that sounds interesting. Particularly if you’re new, you’ll probably learn something regardless of what you select.
However, let the final selection come in the moment, when you’re on one side of the conference space and you have to choose between staying put and sprinting across a casino floor; when it’s 20 floors up, and the lone functioning elevator is not behaving; when the line for a session is full 30 minutes before the doors open. Give yourself a few options for each timeslot and then let the conditions of the moment dictate what you actually try to do.
Where current events and infosec meet (like the one where a nice Danish man talked about the Ashley Madison hack and online information hygiene)
Mostly we’re fucked (that is, the intersection of “how to break shit” and IoT things)
I’ll likely stick to those same themes this year, but I’ll try to go outside of them too.
Be open to new things.
Skills, smells, weird social skills and experiences. There aren’t a lot of spaces like this on earth, so roll with it when it makes sense. You can be in predictable company later.
This was a big part of what friends in the know warned me about. It seems like everyone who’s gone enough times has a story of someone acting like a most memorable piece of shit. I had a couple brushes with annoying sexist nonsense, but clearly not enough to dissuade me to come again this year. (My current prediction is that I’ll get to come three times before something really obnoxious happens, enough to make me say the hell with it and stick to B-Sides, but I look forward to being proven wrong.) However, fucked-up things, of course, aren’t necessarily tied to gender. A male colleague of mine stopped going around DEF CON 12 when he saw someone dancing drunkenly with a live firearm at a party. We all have our limits.
Don’t go to pool parties.
(This is clearly highly subjective, and the friends I went with may likely disagree, but.) Not all dudes (#NotAllDudes) werewolf out at these very guy-centered events with bars, but enough do that I don’t find it worth it when I could be doing anything else. If you also have a certain ungenerous tolerance for risk, go literally anywhere else, because if that place sucks, you can leave much more easily than if you’re in a wet swimsuit. My tolerance for uncertain behavior in social situations out of my control has a pretty hard limit. This is outside of it. You can, of course, decide based on your own “hell no” scale.
If you can go stealth, eavesdrop on non-conference folks.
There are people – unfortunate people, innocent people, sweet summer children – who planned their Vegas escape not knowing what they’d be encountering. They thought they were there to see Cirque and eat crab legs, and they ended up navigating hordes of goons for 14 hours a day. They are hilarious and wonderful. I recommend lingering by customer service or at the buffet to overhear what you can. I felt considerably more badass after overhearing a few minutes of speculation of just what the hell was going on with all the people with skull badges between a clerk and a customer at the Paris casino loyalty club desk.
Even (especially) if you find yourself in the same room for several sessions in a row. Get up and stretch, especially your quads. You’ll have several days of this. Take care of yourself.
It’s worth it to stop by the vendors. The stuff for sale last year typically fell into one of three categories: learning, mayhem, and novelty t-shirts. The first two are pretty alluring to me, and I saw things for sale that one doesn’t typically see anywhere else. It’s worth budgeting for, ideally in cash.
My souvenirs from last year included a pen testing book from No Starch, a couple handcuff shims (you never know), two clear padlocks, and a set of lockpicks for the friend who watched my cats while I was gone. I was pretty satisfied with this, and this year I’ll probably budget for an Ubertooth or something else similarly fun and shiny.
It’s normal, with conferences, to be tempted to wait until the last day to go buy things to try to catch discounts, but at DEF CON, stuff will sell out. If there’s something you really want (and really don’t want to buy online with a credit card), just get it the first day. Nothing is overpriced if you’re satisfied with what you bought and happy with the experience.
One exception is if you wear a smaller t-shirt size. Sizes L and bigger sell out pretty fast, so if you wear one of those: buy sooner. If you’re more of a small or medium: late Saturday or anytime Sunday is a fine time to get your smaller DEF CON shirt with a little break in price.
What I’ll Do Differently This Year
I was pretty satisfied with how last year went, particularly considering the warnings I got. That said, there are a few things I’ll keep in mind when planning my 2017 trip.
Get there on Wednesday night.
Last year, my friends and I used the typical metric of nonprofessional, more culture-centered conferences and planned to arrive on day two. This meant we had access to zero workshops, missed a bunch of DEF CON 101 stuff, and spent more than a day with the flimsy temp badges they give out once the rad ones are gone. It was not an unreasonable approach, but it was wrong and a bit of a bummer. This time, we’re getting in on Wednesday night.
Figure out parties and villages to visit ahead of time.
Last year, though I was told about this, I didn’t quite get how much of DEF CON is in the side events. Deep down, I am basically Hermione, so the idea of paying for a conference and not going to as much of its official programming as I reasonably could just did not compute. This time, I’m going to ask my friends to help me be more fun than comes naturally to me sometimes.
Tell people who say stupid things to fuck off.
I’m really only thinking of a single situation here, but I was still in “I’m new, I’m a guest in this place and trying to learn it” mode, so I didn’t say anything, and clearly it still bothers me. So: I’ll say something next time. If someone else feels safe to be a little obnoxious, I’ll remind myself that I have the privilege to risk the same. There were 22,000 people there last year. I can tell someone acting like an ass to get the hell away from me, and I’ll go try my luck with the other 21,999.
What I’ll Repeat
Roll with a group of women.
Our lady quad occasionally picked up other lone women like an awesome Katamari, and it was a great way to meet interesting people. It was easier to take chances and drift away for a few hours because I knew I could rejoin my group of understanding friendlies whenever I needed to. (If you’re a woman going solo to DEF CON, feel free to say hello. We would love to meet you.)
Revel in the very short women’s bathroom lines, because when do I ever get to experience that otherwise. (Infosec and infosec-adjacent conferences, that’s when. I don’t like what it’s a symptom of, but I’ll take a very small bit of ease in the meantime.)
Stay nearby, but not in the conference hotel itself.
I liked being able to use wifi when I tucked in for the night (though there are reasonable arguments that even this is not a great move), and there was something calming about leaving the middle of the action and being able to turn off my situational wariness.
I’m an engineer with a love of people breaking shit, making shit do what it was not originally intended to do, and smartasses in general. I liked DEF CON. I’m looking forward to it again – enough to deal with Las Vegas in bloody July. However, it’s very much its own weird animal. It’s a self-selected group that’s different than any I’ve ever circulated amongst before. But, like most groups of humans, most people are benign, some are interesting, some are “interesting,” some are lovely, and some are viruses with shoes. I’d say, in going to DEF CON, your chances of having something unpleasantly memorable happen are higher than among the average population, but not so high that it’s worth skipping if you also like the things I listed above.
There are situations, though, that don’t fit neatly into the suggestions and categories I set out above, so I’ll leave you with some miscellaneous observations from my notebook to place you in the setting in a more immediate way.
98.6 degrees in here, and a pervasive recurring smell of farts and accumulated humanity.
Opinionated, reality-divorced emitters of skin clouds and biome signature
Apparently a room full of dudes will not understand why you shouldn’t text your dick to someone
The current version of the US military interrogation manual is online and freely available
3 pm: am mostly sure I am not the source of the back row funk cloud here. 3:30: rest of row left. Less sure, although funk cloud also left, so…
Being a woman with a wordsmith background and a tendency to observe behavior may make me an ideal mole-type. Stereotypes help us defend ourselves (or have), but we can still exploit that shit.
Social engineering as a woman, at a talk by women, for surprised men
However, I hope, if you’re tempted, you’ll just go for it. Come say hi if you do. And, while you’re there, try to sleep enough, don’t get too fucked up and hungover, and keep your water bottle full. And, with luck, I won’t be back here in August or in another year or two, writing about how all the warnings were right. With luck, you’ll have a good time too, if you decide to go for it.
A Little More Information, if You Want It
If you’re still figuring out how to do this, here are some more resources for you.
There are ways around some of these things, of course. I used Southwest points for my flight this year and am splitting a nearby Airbnb with friends, so we have more room for less money. Last year, I tried to have one good, robust meal out per day so that I wouldn’t feel too messed up from Clif bars and breakfast buffets. Figure out what you need to feel like a functioning human; budget for that. Find a roommate online if you’re broke and brave. There’s a good chance you can make this work, if you’re willing to hustle a little.
It gets fucked up sometimes. One of my remarkable bits of good luck is that malignant dudes mostly let me live my life. Other women are not so lucky. This post gives you an idea of what another side of the experience, quite different than mine, can be like. Take care of yourself, please. We need you.
The scene: I was going back to a set of 18-month-old Packer files to add set -eux -o pipefail to each file in the build. (If you’re not familiar with this command and its uses, here’s where I learned about it. Highly recommended.) I’d recently had a two-day time sink, wherein I couldn’t get LDAP access to work on our CI/CD, and eventually I found that the shell script that adds our LDAP certs had coughed and died midway through without Packer erroring out and letting me know that something was wrong. LDAP failure is a pretty common sign that something is wrong with our CI/CD, but in the past it’s been due to more exotic problems than Packer petering out. Pipefail isn’t necessarily the right tool for every job, but I wanted to spare my future self these issues, where VERY SIGNIFICANT PROBLEMS might otherwise be buried in a billion screens of Packer output.
(Yes, I’ll still look at the credentials folder first next time.)
That was how I learned that Packer scripts can fail, but the build can still complete. This surprised me, considering how many failed builds I experienced when I was first working with Packer. So now I’m working through each script, finding quiet problems (such as unnecessary symbolic links being created during the installation of our version of Java) and other issues that perhaps aren’t problems today but may arise like the kraken later to take its accumulated revenge. Like I said, these scripts have been in use for about a year and a half, building AMIs at least once a month. Usually, only the base AMI changes, and the only other alterations have been additions – this version of Ruby that one dev team needs, this package for another group. Beyond that, it’s been pretty steady, which means a fair amount of time has passed since any kind of in-depth review of these files.
Pipefail is a great and rather educational way to work through your scripts, but on a recent day of this little side project, I encountered a surprising problem. In one of the scripts, PATH is augmented, followed by source /etc/bashrc. This is when the file errored out, with a gasp of amazon-ebs: /etc/bashrc: line 12: PS1: unbound variable.
What in the what?
I did some googling for this unbound variable business, but the results didn’t apply to what I was doing. I wasn’t failing to create $youMessedUp. /etc/bashrc did indeed exist in the Packer Build instance, which I confirmed by, variously, touch /etc/bashrc, ls -a /etc | grep bashrc, and cat /etc/bashrc, at various times in my troubleshooting. The source command was being used correctly. And there were exactly no variables in that script.
But /etc/bashrc was a robust file, quite lengthy compared to the most familiar file of its type in my life, the ~/.bashrc on my own machine. There was a lot going on in there… including variables. And because of the kinds of AMIs I use on this project – that is, AMIs built by a different team I have little contact with, issued every month without exhausting notes on what might have changed from the last version – any alteration I might have made that day might be useless or, worse, damaging when applied blindly next month.
Beyond that, there was the issue of scope. This pipefail project was supposed to be about controlling my end of things. Faulty machine images and limited control are just part of my job. I’ve dealt with said images, but the dealing is not typically dont in shell scripts. Usually, if it’s something especially sticky, the job becomes one of communication, wherein I document what’s up and reach out to the agency in charge of regular base AMI creation so we can sort things out.
So that resolution and realization was where set +u came in.
I have an ongoing concern that shortcuts that I think are efficient might be unhelpful cheating, especially in this particular phase of my career. I ran my error and my situation by a few more senior engineers at my job. The idea of set +u came up. And said seniors confirmed that this was just wise and not laziness.
That is, repeating the command at the top of the page. +u reverses that initial -u flag, which ends the script when an unbound variable happens. For that one line, only set -ex -o pipefail is in play, minus that situationally unfortunate -u.
This is useful if you have a weird situation like mine, where you need to run bash strict mode most of the time but have a line or a section of a script that deals with a resource that’s out of your control (but which you can still trust). Other times this is useful is if you’re activating a virtualenv in Python. In that case, set -u may be best set aside for that particular endeavor. In short, if your script is opening a big bucket of things out of your control (/etc/bashrc, the contents of an /env/bin/activate folder), and you want to go full set -eux -o pipefail otherwise, pop a little set+u in there.
But, this specific little situation aside, I’ve become a convert for set -eux -o pipefail on my Packer builds for sure and will probably keep the habit when I’m in a situation where I’m using AMIs not made by an outside team. The more you know, right?
The question of how to install things still trips me up sometimes. There are a bunch of possible ways it could be done in any given situation, and fairly often, the preferred method isn’t detailed overly meticulously in the README or other docs. Sometimes you have to clone repos and run a certain command in that directory; sometimes it means adding something to /usr/bin and opening a new terminal window; sometimes you summon a UI with a texty terminal command, which feels oddly like sorcery to me.
It’s a good deal easier now, but when I was just starting it could be a real trial. I spent a lot of an afternoon at Hackbright struggling with Postgres because I did a brew install instead of Postgres.app, which… did not get me what I needed and introduced a host of other problems. (It did get me a really interesting philosophical kind of conversation about the pros and cons of installing things from too high a level, courtesy of a teacher who became my friend – who still semifondly recalls that time she had to unpick what fuckery I’d wrought in such good faith.)
Today, trying to figure out how to get the command ldapsearch available to me, I learned one thing and was reminded of another.
I learned yum whatprovides */$WhatYouSeek. (Thanks, Server Fault.) In my case, ldapsearch was one of several commands inside a differently named package: openldap. Oho. (It’s actually in a couple different families of packages, but I do not need to get Perl up in my business today.)
I was reminded that – less commonly for the kind of work that I do – sometimes the needed command is not the name of the package. Some packages aren’t all about one command doing one thing well, despite the best urgings of the Unix philosophy. So – ldapsearch is snuggled into openldap. Got it.
Instead, I came off the stage, waited for my heart rate to return to normal, and thought, That was fabulous. I came home that night and started a doc to collect future talk ideas I might come up with.
In the way of any process nerd who loves a post-mortem, I’ve been thinking about what worked and what didn’t. Here’s what I learned from my first foray into speaking in this particular professional world and what I wish I’d known back in November.
Start with something you already half know.
It’s a pretty common trick to pitch a talk based on something you want to learn, as the impending obligation will make damn sure you do the thing you committed to doing. However, if you’re just starting out, take it easy on yourself – pick a subject you’re already at least fairly familiar with.
My topic originally came from one of my bosses, who knew I’d been reading a man page most workdays in an effort to get more adept at the command line and Linux in general. (Which, in turn, was a great idea suggested by a wise coworker. Highly recommended, and I’ll be writing more about it later.) Said boss tipped me off to the surprising history of the formatting tool behind man pages, mentioned that this exceedingly appropriate conference was coming up, and gave me the nudge I needed to submit a proposal.
If I’d needed to start by figuring out just what the hell a man page was, the challenge would have been too daunting to feel attainable. Instead, I had already read several dozen man pages and had a sense of their structure and tone, plus some opinions about what parts were most effective for helping me with my work. With that basic learning out of the way, I got to focus on the fun part of learning the background and making it as interesting to other people as it was to me.
Write a blog version of your talk. Seriously.
When it comes to things like writing and online promotion, I have skills that give me some useful advantages. In my past professional life, I was a writer, editor, and content strategist, and I spent more time than I liked using social media in a professional context. Because of this, writing an accompanying blog post while I was finishing my talk took relatively little additional effort, since the research and structure were already there. With that part finished, writing a fairly lengthy prose version of my presentation was a no-brainer for me, since a lot of the work that would usually go into an original blog post was already done.
This isn’t true for a lot of people, I realize, because most people didn’t spend more than a decade dashing out thousands upon thousands of words about hotels and waterparks and white noise machines and content marketing practices and travel destinations and many, many other subjects. I’m uncommon that way, and I recognize that.
However, even if writing is difficult for you, writing something to accompany your talk can give you a remarkable return on the energy invested. Even just enough paragraphs to hold all the links in your bibliography is a worthwhile resource for someone looking to learn more about your subject.
In my slides, I provided the short URL for my company’s blog and pinned a tweet with the post link on Twitter. On top of that, my talk title and my name were on every slide, and I started and ended the presentation with my Twitter handle.
The day of the talk, I’d intended to put my phone in my backpack when I went onto the stage. Instead, in the sweep of adrenaline after I got miced up and ready to go, I left my phone tucked in the bodice of my pocketless dress. About a minute into my talk, my phone began buzzing, and it rarely stopped for the entire 19-odd minutes of my talk. It was only after I was finished that I got to peek and see what was up. I had been quietly hoping, as I talked, that there hadn’t been a death in the family, or a disaster in San Francisco, or any of the other darker events that usually make a phone blow up at 9:45 am on a weekday.
But no: it was TWITTER. Follows and tweets and retweets and likes, my talking points spread far and wide, my tidbits turned hashtags, and that pinned tweet with my link in it racing steadily from conference-goer to conference-goer and beyond.
It was so much more than I’d even dared to imagine. I’d written the post because I dislike when a really interesting talk proves ephemeral – a hashtag and a hastily photographed bibliography slide, and then all that might be left is a title listed on a conference website. It’s a bummer when someone put the effort in and made a really memorable, effective talk, and all I have to show anyone else is a blurry slide photo and maybe some quick notes.
So I wrote it for people like me, who like to be able to revisit what was discussed and to click links rather than transcribing, to command-F instead of clicking around a video. I also wanted some artifact of my work on my company’s blog, as my bosses had very kindly allowed me to do a lot of talk prep on company time.
And it was worth it. My company’s site got more hits that day than we had in the twelve months prior. (We’re wonderful, but niche for sure.) A few weeks later, I had my own work recommended to me on Twitter by someone who didn’t remember my name as a speaker but did remember my talk.* Recently, I looked up “man page history” to learn about the -c flag for the history command, and I found that, even in an incognito window, my talk was the sixth result for that search. WHAT.
So, if it’s at all within your powers to do so, write up your talk. Publish the day of or the day before, and have tweets ready for yourself and your employer, if you work somewhere that does Twitter. Make it available on your slides and on your social media. Make it accessible. And if you can’t write it? Consider doing a skill trade with someone or even hiring someone to write it for you. Don’t know any writers for hire? Contact me, and I can put you in touch with someone who will make your work shine. The cost of the work of a good writer, correctly used, is very often a bargain.
Get advice from an accomplished speaker.
Maybe this is my other cheat: one of my bosses is an especially experienced, very skilled speaker and has a lot of clear, tested advice around how to approach it.** I got to sit down with him for an hour early in my talk creation process and get his suggestions on how to prepare, how to work with the conference staff, and how to make the day of go as smoothly as possible. A few things I wouldn’t have known otherwise:
Do a brown M&M test: ask your contact if there’s a prep room, how their AV will work, if they have a provided deck template to work from, what kind of microphone they’ll be providing, and when you need to arrive – among other logistical questions. You need to know these things, but it’s also good to know if they don’t know them yet. This lets you better prepare both yourself and your expectations. If the people running the conference are inexperienced, your questions could provide some structure for their plans. Win/win.
Do a little cardio (a quick jog down the conference hall, jumping jacks) just before so that your body has a good reason for your heart to be racing a little. And lay off the coffee until you’re done.
Make sure you have some kind of timing advice available – and bring one even if the venue promises to have one.
Put time markers in your slide notes so you can tell that you’re keeping the right pace in the time allotted.
Try to get a friend/plant in the audience so that you have a friendly visual focus, feedback, and prompts if needed.
I’d done one talk before but in a pretty different context, so I had no way of knowing these things ahead of time. A little expert advice spared me a lot of uncertainty.
Do multiple test runs. For humans.
I practiced my talk for two solid weeks leading up to the conference. In order, here were my test audiences and what I learned from each.
My cats: I could string the sentences together well enough, and my jokes felt ok to say. (This was me running through my slides in my apartment over and over until I felt a rhythm begin to come together.)
One coworker: the Keynote theme I’d chosen included slides with grey text on a black background. This was very hard to read (and just in time to fix). Doing a test run earlier on also lets you test out storylines and interest in your material before you’re fully committed.
My entire company: I needed more confidence in my jokes and to give them time to land – my usual deadpan understatement was not working for this talk. Also, I needed to stop putting my hands in my pockets.
It’s hard to hear criticism, but it’s a delight to get feedback at a time when you can still do something about it. Find your critical audience and have at least a couple tries when you still have enough time to course correct.
Not everything is riding on this one time.
I am very pleased with how this all turned out. It was a lot of work, but it was enormously rewarding, and I got to feel a sense of professional community I hadn’t experienced at that point. I still get to have surprise conversations with online strangers about man pages. That said, there are still things I’ll be aiming for in my next talk, such as:
Better memorization and the ability to speak more freely without glancing at my notes. Memorization is really hard for me, but I admire the fluidity I see in other speakers who have clearly done the work. I want to be able to give that to people who might hear me in the future.
A little more lightness. While my delivery did what I needed it to do, I found out later that I came across a little more grave than I intended. This is understandable, considering, but I’m a pretty animated and cheery talker in regular life. I’d like to bring some more of that to the way I speak to groups.
More practice and ease. I want to find a local Toastmaster group for some more regular experience with lower stakes, so I can continue teaching my body that I am not going to die of public speaking. Leading up to the talk, when friends asked how it was going and how I felt about it, I told them, “So long as I don’t die, it’ll be a success.” Now I know; I just need to get my body to trust that this really is true.
And the great thing is that I work at a company that encourages speaking in a field that’s hungry for people willing to talk out loud and teach. I’ll get more opportunities – and be better equipped to iterate, improve, and get closer to the skill level I’m aiming for.
If you’re tempted, do the thing.
As I mentioned, I have a background in content marketing, so blogging has always been a part of professionally establishing myself, and it was a particular goal as I got my bearings as an engineer. I figured that I wanted to try to speak too, since it’s a pretty natural extension of presenting ideas in writing. But I thought I’d get a steady clip going on this blog, start getting comfortable exploring and explaining ideas here, and then begin to play with the idea of talking – you know, in time. We do internal talks at my company specifically for that kind of experience, so I figured I’d start there and maybe branch out to local meetups. Go from there. Right?
Then a bigger opportunity came up faster than I expected. But if that hadn’t come together, I would have targeted local meetups. I would have talked internally. I would have organized or participated in a talk night with my school’s alumni group. I would have done it somewhere, and I would’ve been nervous then. And it would have been ok.
If you’re inclined to talk, just do it. There are enough groups, particularly in tech-oriented cities, that someone wants to hear your explanation of whatever it is you find interesting. You’ll also probably meet some rad people while you’re doing it.
A few helpful things for you.
This post from Heidi Waterhouse about how to dress as a speaker is useful in all the ways I usually find “how to dress” articles aren’t. (Most “how to dress” articles are not written by people with hair of a hue similar to my own, for a start.) Pragmatic and with an aim toward natural comfort, this article had enough information that I referred to it several times throughout my talk prep, particularly for advice on dressing around different types of microphones. Read it and avoid unnecessary surprises.
Technically Speaking provides a weekly dose of speaking encouragement and opportunities. The women who run it are smart and opinionated, and if you’re interested in this, it’s a wonderful addition to your inbox. And if you’re considering speaking? (And I hope you do.) Meetup can probably connect you to a group that would be interested in your subject.
And with that, I hope I leave you better off than I was at the start of this odyssey. If you’re interested in something, you probably have something to say about it. I, at least, would love to hear it. :)
*Incidentally, this was not mansplaining - it was communing about a mutually interesting subject and a pretty rad compliment.
**Actually, that's true for a few people I work with and for, but Everett just does MORE of it. Truss has a rad speaking culture, and I dig it.
I hit my one-year anniversary as a software engineer in October. It has been, professionally, one of the harder, stranger years of my life, but the challenges generally were exactly what I hoped they would be: complicated, but with clear questions, and answers that were a pleasure to seek. That said, there are a few things I wish I could whisper to my past self, either right when I was starting this job, just as I was starting Hackbright, or a couple of years ago when I wrote my first lines of Python. Here’s a bit of advice to my past self, to anyone who’s considering this journey, and to anyone who’s still fairly new and would like a little reassurance.
1. Everything I heard about learning this is true (or: no, really, just pick a project).
If you want to learn programming, you do need to just pick a project and proceed. I really disliked this advice when I first heard it, because I am all about context, and I couldn’t imagine picking an appropriate challenge without knowing the limits and possibilities out there. And that’s a legitimate concern – it’s crucial to pick the right-sized problem, so far as complexity and the number of tools it will require, if you’re going to learn without getting so frustrated that you quit prematurely. Even so, it’s those raw edges, that unpredictable stuff, that gives you the real learning, that can be the most educational (and most satisfying) to wrap your brain around.
My real, substantial learning on this job began when I was put on a project, which didn’t happen immediately after I was hired. I had learned things before then, self-studying along in the office, but it lived strictly within the realm of the hypothetical (something I consider likelier a limitation of my own beginner state than anything else). Learning within the context of a project can be kind of like memorizing a poem by hearing every fifth word, and out of order and occasionally in a different language to boot. However, what you do learn will be practical and actionable, and – perhaps most valuable of all – will provide the context around what happened and what you need to do. And eventually, you’ll know a lot of it – and be able to intuit or sleuth out the rest.
My suggestion to you: it’s annoying how much it’s true, but I’d suggest just giving in (and finding a good advisor for picking and shaping your project, if you can). Find a practical problem in your own life and decide a way to start addressing it. If you get stuck, it’s a big, generous internet out there, and some of the people in it will even have right answers.
Bonus suggestion: consider making a command line utility. It has a delightfully low barrier to entry and gives you a great chance to make something useful to you without worrying about deploying or front-end work. If you’re a Python kid like me, start by looking at argparse and then let your imagination run away with you.
Bonus bonus suggestion: many programming communities now have Slack networks that are open to the public, if you request access. If you know you’re interested in a particular language and want someone to ask questions to, see if there’s an active Slack channel for your area of interest. The availability of DMs and the more regulated, curated nature of most Slack communities can make them friendlier to beginners.
2. Learning is a skill. Learning this is a different skill.
Computer science’s history is relatively short, but it’s some dense archeology, if you’re trying to wrap your head around even the most essential central stuff. Some people get to be immersed in it for four years before they’re thrust into the workplace; the rest of us get to pick up on useful commonality when we start playing with our third programming language. (Though people like Gayle Laakmann MacDowell have said that this is far from an insurmountable hindrance.) The good thing is that each new skill you learn will require slightly less origination and effort and will build slightly more on things you’ve already learned.
However, this growing knowledge will never reach one hundred percent, regardless of your background. If you plan on staying in this field, you have to learn to love at least a little constant disorientation. If you aren’t confused on the regular in your first couple of years in this field, you’re not trying hard enough.
My suggestion to you: learn to love feeling like your feet aren’t quite firmly planted beneath you, because it means you’re in the learning space. Disorientation means you’re surrounded entirely by new things to learn. Eat it up.
3. Any dregs of self-consciousness and admitting ignorance will either go out the window fast – or you will remain bad at this.
My company is largely remote four days a week, and I was, for a time, the only engineer in our central office. This meant that, if I had a problem and my manager wasn’t available, I had to go into a public Slack channel to seek help. This eased in time, mostly as I got to know my coworkers better. But until I got to that point, every question I asked felt like broadcasting my ignorance to the company, who only knew me as the inquisitive little Slack avatar. HEY LOOK AT ME HERE’S THE THING I DON’T KNOW OF THE HOUR.
That is, until I stopped caring because I understood that no one else cares. And beyond that, it’s as true here as in any other field that the best time to ask basic-ass questions is toward the beginning, when they naturally occur, before you start eroding the foundation you’re trying to build.
My suggestion to you: breathe deep and get over it – or pretend to until it’s true. Admitting you don’t know something is a vital part of being good at this job, because there’s no room to bullshit. Any fudging you do will be revealed later, and most likely at a really annoying (and embarrassing) time.
4. Useful experience is less about exhaustive knowledge and more about navigating new situations and tech.
Expertise can sometimes be demonstrated by knowing who wrote what language, what the most vital book is about a subject, or the history of the specific design decisions and needs that went into a framework. But this is surface trivia, and what’s most important (to me, so far) is context and the experience that provides it. It’s still the thing I crave most often, when I find myself in those disorienting moments where I don’t know the answer and am not even entirely certain of the right question.
It can be extra frustrating because I don’t just want to know how something works. I also want to know the situations where considering that thing as a solution on a project is appropriate, what would inform that recommendation, and what you heard about its past releases and future plans that might make everything terrible in six months.
I felt this basically constantly at the beginning and now, fourteen months in, I still feel this way pretty often. I choose to view it as still finding this field incredibly interesting. I can’t imagine what being bored or plateauing would look like in this job because there is always, always more stuff. And, after a while, you’ll have experienced enough of it that you’ll know better how to navigate the next big thing.
My suggestion to you: hang in there, mostly. And just be willing to try things, volunteer for new projects, and get all of the experience you can – within reason.
5. My sense of curiosity is a valuable job qualification.
I have, in the past, annoyed lesser bosses by asking why. When I asked, I wasn’t questioning their judgment – or not usually, anyway. What I needed was to understand what went into a given decision, so that I could make my own decisions to support it appropriately. (Yes, it does make sense that I have user research in my background too.)
This quality is really useful in this job – in fact, in a well-functioning environment, I’d call it essential. It’s particularly so when you do consulting for clients, as my company does. Sometimes we serve them better not by doing exactly as they request but by asking why enough (and politely enough) to find out what it is they really want. From there, good work actually gets done.
My suggestion to you: your beginner enthusiasm and curiosity are valuable tools. When you don’t take anything for granted, you can notice things more seasoned engineers don’t. If something isn’t clear, ask about it (even if only privately to your boss) until it becomes clear.
6. Sometimes the tool is broken. Not you.
Early last year, I was doing some experimenting with AWS on my own at work, going between the command line and the web UI to launch instances, tailor and tweak them, and get used to the interaction between different aspects of the tool. But for a few weeks at the very beginning, things just didn’t work right. I’d follow a tutorial, enter a command, and – what even the hell? Trying to spin up an instance would fail. Security groups wouldn’t work right. And, worse still, I was so new and the failures were inconsistent enough that I couldn’t deduce any logic from what was happening. I was failing and didn’t feel like I was learning from it, one of the worst feelings. I rarely have reason to wonder if maybe I’ve been secretly stupid all along, but in that handful of weeks, I’d stop sometimes and wonder if engineering was finding some sad new quality of mine that had been hiding throughout my career.
Then another senior engineer got hired and had a little time before being put on a client. He found that our AWS account was old enough that it worked differently than more recently created ones do. He made a new account. Suddenly, tutorials made sense, and my results were predictable – including my errors. I was so relieved I had to stop and stare into space for a few minutes to absorb it all. AWS and I are friends now, despite our rocky start, but I would never have figured this out on my own.
My suggestion to you: sometimes the problem is between keyboard and chair, sure. But sometimes it is not. Ask questions, pair with someone, and make sure that someone who knows more than you witnesses your sticky moments sometimes. It’s ego-deflating, but it’s better than spending days or weeks flailing in some swamp that isn’t of your own making.
7. Timing is everything.
If you have even a semi-active sense of curiosity, you can spend endless amounts of time reading docs, essays, StackOverflow speculation, comments, comics, reviews by the competition, helpful blog posts, amusingly bitchy blog posts, and so many other things that may be very useful, completely useless, or – worst of all – approximately 29 percent useful. It’s that last one that can eat your afternoon. If you aren’t aware of this particular hazard, you can lose an hour or four much more easily than you might have ever suspected.
My suggestion to you: timebox that shit. And if you have access to someone more experienced than you, work out a relationship where you can come to them pretty regularly for reality checks and course corrections before you sail yourself deep into the ocean of chatty, chatty internet people. It’s ok to ask a more senior person to rule out some obvious stuff before you dig into researching your problem.
8. Unless the docs are shit, trust the docs.
(And if the docs are shit, should you really be using the thing it’s documenting at all?)
I realized recently (thanks to talking with one of my bosses; see the previous section), that I’d developed a habit I’ve nicknamed narrative research. I’d come to believe that the most efficient way to work through problems was to try to match my problem to someone else’s phrasing, find their solution on this or that third-party site, try to get that solution working to fix my problem, and then work backward to find out why what I had done worked, to learn a larger lesson from there.
Perhaps you’re already seeing the problem here.
If the tool you’re using requires the backassward methodology of someone in a completely different context than you to get it to work, it may be time to examine if you’re using the right tool – or, perhaps more likely, if you’re doing it right at all. You can stir your coffee with a screwdriver if you really want to, but there are better ways to use it. If you have a problem to solve, research just enough to find what library or whatever it is you need to use – and then use its own documentation. Don’t work off-label unless you really need to. Probably check with someone more experienced, if you really think this is a good idea.
My suggestion to you: there be dragons in Stack Overflow sometimes. Stay with primary resources as much as you can.
9. If you’re a person who does the caffeine thing, get your coffee game down.
I most often need one between three and four pm, just to perk my brain up to get through the rest of my day. A single Americano is a great way for me to address this. Recently, I messed up and overcaffeinated myself via the rookie mistake of using a bigger glass than usual for my cold brew. I spent the afternoon sweaty, with racing thoughts. Not a good look.
This is general life advice too, but I’ve found it more critical in this job than any other. It may seem surface, and maybe it is surface, but having your biological needs in check will let you do better at this.
My suggestion to you: know thyself.
10. Don’t be a hero when you’re sick.
This is especially important for me and my consulting colleagues who have a vested interest in quality billable hours, but: if you’re sick, be sick. Don’t soldier through. (And not just because of the obvious part about not being a disease vector. Seriously, stay off my BART if you’re ailing and have sick time to use.) If you feel like shit, you’re not going to be able to brain, and this work requires a functional brain more than any other job I’ve had. The others could be difficult too (especially the UX consulting gig I had just before I went to engineering school), but it’s just… different. Pack a snack, sleep enough, and pay attention when you’re sick.
My suggestion to you: be an adult and be honest with yourself. Sleep enough, eat enough, and stay home with pho from Seamless if you’re under the weather. Treat yourself like you’re parenting a toddler – you know, honest assessments. Sometimes you just need a snack; sometimes you need to stay the hell in bed.
11. And, finally: decency counts.
This is an industry riddled with social fuckery, and even people who found it worthwhile to stick it out usually have at least a couple really vile stories of colleagues and managers acting like total assholes. I work in a magical unicorner of the industry that’s largely free of that, but – get this – I still get points just for being housebroken and friendly enough that it’s pleasant to share space with me. It still seems to be considered remarkable in this industry (though it’s a requirement to work at my company). Can you treat a troublesome team with human decency? Can you be polite and keep it together even when you’re having a bad feeling and not getting your way? Do you have a regular life, and can you make nice chit-chat about it without it being a big thing? Congratulations: you have an important skill.
Beyond that, social stuff in tech is just different than it is in other industries. I’ve always been lucky enough to have coworkers I wanted to be friends with too, but there’s a certain all-banding-together kind of feeling in tech that I haven’t seen anywhere else. In some companies, it’s a natural side effect of putting a bunch of 22-to-29-year-olds with a shared predilection for alcohol in the same space for 60-plus hours a week. But even then, it has a function – when stuff gets hard, that empathy and caring and shared knowledge comes together, and everything functions better.
My suggestion to you:be cool, honey bunny. And, even if you have limited social energy (I certainly do), try to conserve some of it to spend time with your coworkers once every week or two. A lot of people are lovely, and the stuff about being a good member of a team is easier if you’ve taken a real interest in the people around you.
There you go, new engineer. There you go, Breanne of a year or two ago. And here are a few more resources that I’ve found really useful in the last year. I didn’t even write all of them myself.
How to edit your PATH variable (and what PATH is): I had the hardest time getting an answer to this, which was tough when I was already learning a lot about how a computer works when you’re not just using it to dick around on the internet. So I pestered my coworkers for answers until it felt coherent and wrote it down. I hope it helps you too.
The rad illustrations of Julia Evans: always thorough and yet always approaching subjects from a unique angle, her illustrations are such a nice companion for whatever you’re learning.
And, just, you know what? Wikipedia is the shit for computer science stuff. Surprise! There’s a lot of legit documentation out there (ahem, man pages, ahem), but Wikipedia is so often a great place to start, and seeing unfamiliar stuff laid out in a familiar format can be really helpful if you’re stumped.