I'm what you might call a "Stone Age" programmer. Not because I code with rocks and sticks, but because my toolkit is filled with ancient relics like LISP and OCaml - functional programming languages that are about as popular in today's enterprise world as flip phones at a tech conference.
I spent three glorious years in the industry writing functional code, and let me tell you, it was like being a minimalist artist in a world of reality TV. Those languages taught me to appreciate the elegance of software craftsmanship, much like Paul Graham describes in "Hackers and Painters." Graham's comparison between hackers and painters - both creating something from nothing, both obsessing over beauty that most people will never notice - still resonates with me today.
But here's the plot twist: my day job isn't painting digital masterpieces in LISP. I've been working in InfoSec since 2007, and for the past two years, I've been a security architect at a multinational company, dealing with compliance and security architecture. In the China market, this is basically a luxury job - like being a food critic in a town that only has fast food. Most local companies would rather spend money on anything else before investing in proper security compliance.
This job has given me a front-row seat to the cutting edge of enterprise security, which I'm grateful for. But it's also created a weird kind of cognitive dissonance that reminds me of my college dreams of becoming the next Einstein.
You see, my first degree was in Optical Information Science and Technology - basically, I wanted to be a physicist. My second degree was Computer Science. Physics seeks the fundamental laws of the universe. Information security, it turns out, deals with the fundamental laws of the digital world - and the uncomfortable reality that most people prefer to pretend these laws don't exist.
The Great Certificate Mystery
Let me tell you about the moment that perfectly captured this absurdity.
I'm sitting in a routine security review meeting, watching my colleague ask what seemed like the most basic question in the world: "Are the certificates on these IoT devices centrally managed?"
The Technical Project Manager (TPM) looked confused. He turned to the device vendor for answers.
The response that came back was so pure, so innocent, it almost broke my brain: "We've never heard of certificates. What's a certificate?"
... continue reading