Summary: The Hacking Project

December 29, 2020

The Christmas holidays are here and the ‘The Hacking Project’ is over.
This is a summary, containing some general reflections from working on a project of my own in solitude for three months time.

First of all, let’s recapitulate:

I was into web hacking for about a month. At a point where I felt I needed to do something else and I had a look at ISO27001. I found it interesting and decided to try to implement it for my own information assets. This kept me busy to the end of the project and led to something I call the Information Index.

The project has been documented on a weekly basis in “public updates” which are linked when relevant. They are also available here in chronological order:
Week 1: An overview
Week 2: Focusing on webhacking
Week 3: Learning resources
Week 4: Failure and wasted time
Week 5: A boring update: CTFs and ISO27001
Week 6: Security in one sentence
Week 7: Welcome back
Week 8: The Information Index
Week 9: Unexpected results
Week 10: Happy and satisfied
Week 11: The way things should end

Things done right
Before starting to hack I spent some time preparing for the project (roughly 10% of the total time). During this time, among other things I prepared a few interesting subjects to work on aside from web hacking. This turned out to be important as it allowed me seamlessly switch track mid-project.

The three month timeframe was good. Three months is not much in a human lifetime, but to the mind it feels like forever.
Of practical importance is that it is long enough that it is possible to miss a week or two due to sickness or similar without having to make adjustments to the overall plan.
In hindsight I could have stopped one week prior to what I did.

The weekly planning also worked out well. Planning and committing to one week at a time was a good tradeoff between knowing what to do and flexibility. Most weeks there was no actual planning, I kept going from where I left off the previous week.

The last thing that comes to my mind is the public updates.
In the first update I mentioned two reasons for writing: communicate to others what I’m doing and as a future reference. The first point turned out to not be valid; very few people know about this website. But “for future reference” was important.
As I write this down I frequently reference my updates in the text that I’m writing, but I haven’t actually read through them. It seems I have not only written things down in files on a computer, but I have also written them down in my mind.
The writing, which I usually did on Fridays, also always came with a feeling of completion. The week had been concluded. This gave the weekend a good start.
As mentioned, I intend to continue to write on a weekly basis. Exactly how I will do this remains to be seen as I no longer have a project to write about.

Things to improve
One thing that I obviously got wrong is the name ‘The Hacking Project’. In the end the project was mostly not about hacking at all.
‘The IT-Security Project’ would have been a better name (maybe with a ‘research’ added in there for some extra sophistication), as this is what the project should be about in the first place. Hacking was just the starting point.

The guidelines that I formulated the first week could also be improved.
First, two of them are not guidelines but requirements, but that is a minor detail. Secondly one of the requirements, that the project should result in an IT-security skill that I can put on my CV, wasn’t compatible with the weekly planning. Which week should I break my flow and plan so that this requirement is fulfilled? None it turned out. This requirement was indefinitely postponed.
I should either have created the project from the start to fulfill this requirement, or I should have dropped it altogether.
(Side node: I have acquired important insights and skills that I can add to my CV, but that was more of a happening, not because I made an active effort. When working hard on something for 3 months I guess this is inevitable)

The last part here is about how I write. In several updates I have written something like: “I will write more about X later”. This again violates the principle of weekly planning as there is no “later”.
It is very tempting to add these kind of promises since everything I’m working on cannot be explained in a single update but it should be avoided since updates gets cluttered with this kind of statements which add no value.
It is also obvious that it is not true. Not a single time have I written something “later”.

Value
I wrote the first week that I didn’t expect this to pay my salary and it hasn’t. But from a personal perspective I believe the project has been a high value investment.
I’m satisfied of the outcome and I have (with the exception of some frustration) felt very well during this period. Particularly when it comes to stress. There is a good chance that I’m able to carry this with me for a long time.

From a purely financial perspective the value of the project is yet unknown. The things I have learned and created during this time, will they allow me to earn more than if I would have kept one of my regular assignments? I sense two things here:

In the end, only time will tell. I have added a reminder in my phone, 5 years from now (2025-12-29) to go back an evaluate this point again.

Will I do this again?
It is very possible that I will do this again, but it will have to wait a few years. What I need to do now is to put my newly acquired skills to good use.

The most important part
I’m convinced that in the end, the fact that I carried through with this, in the way I intended, is the important thing. The outcome and most other circumstances will eventually cease to matter.
These unique months will forever be a reference point in my life that I can use to compare whatever I’m doing to and I’m now able to provide an answer to questions such as “what is it like not to work”.

I would be surprised if this had no effect on future choices that I make.