2019 Feb 4

A battery icon with ~70% charge remaining

Life’s too short to be anything less than a goddam hero

Today is Monday, February 4th, 2019, and — best case scenario — I have roughly 21,500 days left to live. Less than 60 years, probably. I’m more than 30% through the likely-maximum lifespan that I’d be fortunate to fully experience, and that’s making a lot of generous assumptions.

I wouldn’t fault you if it makes you feel uneasy to think about death, but another way to look at it is to recognize your limited time and life as irreplacibly important values. I certainly do. Every day in fact. That doesn’t mean I glance at my watch every five minutes or get irritated waiting in lines. Honestly, I’m quite well-adjusted and fairly laid back. But I can’t help but get a profound sense of motivation from the fact that I can only accomplish so many things before I’m dead. It makes me take my life and its limits seriously, because this is the only one I get.

Mike's face printed in greyscale

I’m so lucky and unfathomably grateful to have known someone with the biggest loving heart, with such incredible strength, and with the most unshakable, steely-eyed pursuit of life I’ve ever seen. He’s on my mind every single day, and thinking of him reminds me that I’m alive. I remember to keep going, to always pursue purpose, and to fight for the future while I still can, because, every single day, he reminds me how life is too short.

Life is too short for me to be complacent, so I might as well do everything I can to be truly fulfilled in it. Life’s also way too short for me to be mediocre, even if that means my only worthwhile option is becoming a “military-grade overachiever”.

It’s always possible that my specific interests and goals could change with time, but, as far as I can see, I’ll never lose my strong sense of right and wrong, my preoccupation with the field of security, and, hopefully, my knack for technology.

Inspirational quote with creepy newspaper wall backdrop

Background Information

I’m Mike, and I’m a hacker security researcher in Boston. As of this writing (early 2019) I’ve been involved in the infosec community (conferences, meetups, etc.) for about ten years with over six years of professional experience in enterprise IT and security roles. I have a bachelor’s degree in information technology (with concentration in security), and I hold a handful of industry certifications. More importantly I’m a highly motivated and determined agent of good (I promise) in the global arms race that people call cybersecurity.

Mike in a blue shirt in an apple orchard

Currently, I’m employed by an endpoint security company as a threat hunter and security researcher. Our day-to-day work involves finding intrusions, malware infections, and other malicious activities in our customers’ networks that have already evaded the security controls and response processes in place. We learn a lot, and then we shut them down. Basically, I try like hell to be an even-more-advanced and even-more-persistent threat (read: pain in the ass) to the thieves and snoops trespassing in our customers’ networks than they are.

The most fulfilling part of the job is learning all of the latest hacking tactics and techniques that are actually in use ‘in the wild’ and taking steps to disrupt, deny, and degrade cybercrime activity and other adversaries. Basically, I love that I get paid to ruin bad guys’ days practically every day of the week. That’s the goal, anyway.

I’m very interested in how hackers continue to circumvent security solutions, how their malware works, and how the underground cybercrime economy functions. Currently, I’m studying a balanced and somewhat general set of infosec disciplines by complimenting my professional, exclusively blue team experience through research of the offensive arts whenever I can. To that end I’m taking professional training courses on penetration testing and red team tactics. When those aren’t underway, I’m usually working through self-study resources (e.g. HackTheBox), reading tons of books, doing self-directed security research, or working like hell to drop l33t t00lz develop related software.

And when I’m not in front of a computer screen I’m probably on the beach in Hawaii. Or at least smirking and wearing sunglasses somewhere. Probably. So I’ve been told.

Mike sporting shades smugly smirking

Anyway, I’m always learning, but my current priorities are general readiness, competency, and conceptual clarity when it comes to my skill development in this field, and my current projects reflect this. For now, they’re mostly focused on integrating and operationalizing existing tools and techniques. If you’re interested in learning-by-doing, ‘tooling up’, and always being ready for the next engagement (defensive or offensive) then my projects will probably be of interest to you.

Ethical & Political Views

I’ll be writing about various technology-related ethical and policy topics from time to time, so this part may help others understand part of the philosophical worldview from which my conclusions arise.

I believe that values are possible to living creatures, and that the value of something can be objectively evaluated in the context of a creature’s life. For humans, one can observe the natural needs of human life specifically and use reason to discover and understand objective human values - values that exist regardless of anyone’s subjective wishes, emotions, or arbitrary assertions - values that are objectively necessary for life and objectively good to pursue to live as a human.

The objectivity of human values applies to everything from concrete values like food and shelter to abstract and more complex ones like self-esteem, purpose, love, and happiness. An individual human’s life is his or her only objective standard of value, and reason is the only valid method for a human to discover and pursue any values, so I believe that the only proper moral code for human life is one that acknowledges this reality. Rational egoism, or rational self-interest (i.e. selfishness practiced by means of reason) is the only reliable, practical, and moral way to live as a human being.

Furthermore, I believe individuals have natural rights. Everyone should be allowed to choose to live (the right to life), to be free from aggressors who would use violence and force against them (the right to liberty), and to have liberty with respect to the specific means needed to actually live their lives (property rights).

Gadsden flag

Individuals have these rights, and although the concept of rights only has meaning in a social context, the conceptual validity of individual rights can be discovered through objective, logical induction and observation of the needs of individual human life (the literal need to be free from violence and to own property in order to live) inside or outside any specific society.

In a just society, individual rights are properly respected. Moreover, in a civilized society, individuals delegate their right to self-defense (the right to defend their lives, their liberty, and their property) to governmental institutions (police, courts, military, etc.) that in turn act as fair, impartial, and lawful protectors of these rights. But a just government is itself (not unlike the individuals whom grant its agency) limited in using force only to defend these individual rights, and has no valid authority to use institutionalized force beyond this limit. Organizations, including governments, are only made up of individuals, and merely assembling together does not change the needs or nature of human life or the moral responsibility of organization members to respect the rights of every individual.

The idea that any group has ‘moral authority’ that an individual lacks, that groups can subjectively determine morality itself, or that might makes right - lacks rational basis in reality. Using force outside the need for self-defense, even if carried out in the most lawful ways for the nobelist of outcomes, amounts to initiating the use of force against peaceful, non-violent people. Since no individual has the moral right to do this it follows that no group - no matter how popular, orderly, or powerful it may be - can rightly wield this invalid authority whatsoever.

How to Contact Me

You can message me on Twitter @mikeiacovacci. You can also find me in a handful of infosec Slack groups like InfoSec Boston, Hunting Party, or similar. I’m also on LinkedIn if you have a professional or work-related need. I attend the Boston Security Meetup (monthly), and I try to make it to a few security conferences in the U.S. each year too. I’m introverted, but I enjoy meeting new people, so if you run into me in person feel free to introduce yourself. I might not always look how I do in photos on this page or elsewhere online, though. ¯\_(ツ)_/¯

Blurry shot of Mike on a subway train

Confidentiality & Authentication

If you need to send me anything confidential you should encrypt it with my PGP key beforehand. If you plan to use any of my code (or otherwise rely on the authenticity of something ostensibly created by me) you should verify any accompanying cryptographic signatures by using my PGP key.


Understand that these instructions are simplified for very basic use cases to meet rudimentary privacy and authentication needs. I cannot guarantee they meet any regulatory (HIPAA, PCI, GDPR, etc.) or other legal security requirements. Furthermore, the security of a given task is affected by many variables, often ones not completely under our control, and these instructions do not attempt to account for every variable and possible scenario. Your mileage may vary. Lastly, my code (even the trivial bash commands on this page) has absolutely no warranty of any kind. Do not proceed unless you accept and assume all risks.

How to Verify my PGP Key

If you have wget and gpg installed you can import my PGP key with this bash command:

wget -O - https://payl0ad.run/crypto | gpg --import && gpg --fingerprint

Part of your output should look like this:

gpg: key A3970118D56B2E35: public key "Mike Iacovacci <mike@[REDACTED].com>" imported
gpg: Total number processed: 1
gpg: imported: 1
pub rsa4096 2016-03-23 [SC]
C9EE FD5E 15DA 9C02 1B0C 603C A397 0118 D56B 2E35
uid [ unknown] Mike Iacovacci <mike@[REDACTED].com>
sub rsa4096 2016-03-23 [E]
sub rsa4096 2016-03-23 [S]

Before proceeding, you should verify the key’s authenticity by comparing the fingerprint in your terminal window to any copies you can find elsewhere online or from out-of-band sources. Better yet would be to ask me to confirm the fingerprint in person if possible. If for some reason the fingerprint doesn’t match your output DO NOT proceed and trust or use the key.

How to Send Me Confidential Data

To encrypt a document or other file before sending it to me, execute the following command replacing {FILENAME} with the actual name of the file you want to encrypt:

gpg --recipient "Mike Iacovacci" --trusted-key A3970118D56B2E35 --encrypt {FILENAME}

You should now have another file with the same name but with a .gpg extension. Send this encrypted file like you would have sent the original.

To encrypt a file and get ASCII text output on the screen instead use this command again replacing {FILENAME} with the name of your input file:

gpg --encrypt --armor --recipient "Mike Iacovacci" --trusted-key A3970118D56B2E35 < {FILENAME}

Now you can copy the text to your clipboard and paste it into an email body, a chat program, or whatever communication method you’re using.

To encrypt a message you wish to interactively type into your terminal use the following command:

gpg --encrypt --armor --recipient "Mike Iacovacci" --trusted-key A3970118D56B2E35

Now gpg will wait for your input. Type your message and press CTRL+d when you’re done. Your encrypted output will be displayed on the screen.

How to Verify the Authenticity of My Code

When I cryptographically sign a file I’ve created, I produce a “detached” signature (a separate file) bearing the same name as the signed file (but with an .asc extension) to accompany the signed file. To verify the signature first ensure both the signature file and the signed file are in the same directory. Then run this command replacing {SIGFILE} with the filename of the signature file:

gpg --trusted-key A3970118D56B2E35 --verify {SIGFILE}

Read the output carefully. It will tell you whether or not the signature is good.