Being born in Greece you are blessed with free public education, perfect weather all year long, access to some of the best vacation destinations in the world, short distance to the sea from almost every area, awesome food, frape, fredo and great hospitable people. You are also ‘blessed’ with a struggling economy, public sector corruption and mandatory conscription.

When you turn 18 you are required by law to enlist in the army, unless you are pursuing a degree in higher education, something that allows you to postpone it until you are 27. That’s what I did, since I was busy with school in the Computer Engineering and Informatics Department at the University of Patras, developing Ncrack, doing research on network protocol exploitation and working on a startup. However, the clock was ticking and time had finally come when I had to show up at Thebes for boot camp training which lasts about a month.

The total serving time is 9 months for the army and 12 months for the navy or air force. Normally it is harder to get selected for the navy or airforce - they get far more applications since it is considered more lax as far as chores are concerned but this is balanced with more serving time.

A lot of Greek people, especially young, testosterone-fueled men at their 18s, naively think that the army is going to turn them into indomitable ass-kicking commandos that can subdue and overpower any opponent. This is a subset of the type of people you will unavoidably come across, as I did. In that regard, I found solace in my view of the whole experience as a sort of time-limited social experiment that would allow me to interact with people that are not normally in my social circles. It can be an effective way of escaping filter bubbles and confirmation biases. The key is that whatever you do, it’s best to keep a low profile because you will have to deal with a lot of jackasses and the less confrontations you have the better off you will be.

Boot Camp

My time at the boot camp was by no means comfortable (not that it is meant to be) - mainly due to extreme lack of sleep throughout the whole time. First off, you have to sleep in a small booth with another 23 men of all ages, with all that that entails. And of course you sleep in bunk beds. Being a light sleeper can make it insufferably hard to get proper rest due to all the noise throughout the night - especially snoring - and guess what the chances are of at least one person snoring loudly if you only need the same number of people to have a 50% probability of having the same birthday. Second, there is the amount of time you have altogether to sleep. You are supposed to go to bed at 23:00, but until the whole booth (and the neighbouring ones) goes quite it can sometimes be midnight. Wake-up time is at 5:45 am, which means you often get a maximum of 6 hours of mostly bad sleep. Add that for a month and there are high chances you’ll eventually reach a zombified version of yourself. Every day follows a rigid schedule with very little ‘free time’ during which there isn’t a lot to do except to chill with other soldiers or contemplate hard about life.

During boot camp training you have no days off and you are not allowed to exit the camp until it’s over. Suffice to say, it was rare to be in good spirits during that time. I was a bit lucky because coincidentally I already knew some of the recruits from school (we went to the same University) so it was easier to mingle and meet others through them. Occasionally, we had to deal with unruly jackasses but laying low and ignoring them would work most of the times. Another thing that worked so that those people keep adequate yet necessary distance from you is to do something that earns their respect. Unsurprisingly that was rarely a demonstration of intellectual prowess, rather a display of physical abilities or skills.

One particular manifestation of that was when some of the rowdy recruits in our booth spontaneously started a competition on the number of consecutive push-ups one could do. Each took their turn and did push-ups while the rest of the booth would count. The average was about 30 and then one of the more athletic-looking soldiers did about 45. I knew I was able to do more than that in the past as I had been following a rigid daily work-out routine for the past 7 years. I decided to join the competition and did 60. From thereon, things changed for the better.

Cyber Defense Directorate

After the boot camp training ends, you are then transferred to your main base and what this entails is that wherever you get assigned at that point will impact the rest of your time in the military, since tranfers beyond that point are extremely rare. Where you get transferred then has a big impact on your quality of life for the next 8 months and it can make a tremendous difference on the nature of the tasks you will be assigned.

The infosec community in Greece is a small circle and my work on Ncrack, my research on the TCP Persist Timer exploitation and others didn’t go unnoticed. Thus, I had the privilege of serving in the Cyber Defence Directorate of the Hellenic National Defense General Staff, the most elite information security force in the Greek military. It was the ideal place for someone like me - almost exactly like working at a security company in the private sector (albeit with a much much smaller salary). I had an amazing time there and did research on some fascinating projects, further honing my skills for the rest of my conscription. Most people complain that their mandatory time in the army was mostly a waste of their time, but fortunately in my case it was anything but that.

What most people do while serving in the military VS what I did.
What most people do while serving in the military VS what I did there.

Lessons Learnt

One of the most important lessons I got there, straight from the Director of the Cyber Defense Directorate, is that a large part of information security and especially penetration testing is doing due diligence.

Having a disciplined approach and a structured methodology when conducting assessments is what will eventually make the most difference. Many times, infosec professionals neglect to look into or test some obvious cases. Often this concerns low-hanging fruit that are overlooked simply because they are too ‘simple’. How many times did you follow a rigorous checklist instead of trying things in random order in your assessments? Next time, try following a more methodical and systematic approach and compare the results - you might be surprised.