Insight on the Security Mindset
I recently came across an interesting editorial written by Bruce Schneier in which he talks about the “twisted mind of the security professional,” and he is pretty dead on.
After providing a nice anectdote, Schneier talks about just what it is that motivates security professionals and it pretty much boils down to a proclivity for circumventing security measures.
Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities. They can’t vote without trying to figure out how to vote twice. They just can’t help it.
And how right he is. I remember when I was around 6, possibly younger, I found myself mashing keys mindlessly on our old Commodore 64. Eventually when the computer returned “syntax error,” I was thrilled. Now, I had no idea what this actually meant but if I had to pick a moment of discovery, that would be it. This machine, which was hooked up to my television set, was talking back to me. My biggest curiosity no longer became getting a kung-fu fighting game to load, but rather what else I could make this computer say. Beyond this, I wondered how I could take over the world with a Commodore 64 which was no simple task. Some years later the internet became pretty popular, this was well before everyone had a PC in their house and America Online was THE internet service provider. Sometimes I would call my friends to make plans only to dial the wrong number and be answered with a barrage of modem chatter, this too fascinated me. The next thing I would do is to call that same wrong number with my computer and see what would happen. This usually resulted in a login prompt which then lead me to ask, “how can I get past this stupid thing?” Since any real exploitation was well beyond my mental capacity at the time I did what any curious kid would do, kept calling.
Anyone that knows me relatively well can tell you that this is expected behavior from me. Eventually my random dialings came to an end when an unnamed company called my Mother’s house and asked what the heck was happening from her phone number. Thankfully nothing went terribly wrong after she explained that I was simply a somewhat mischevious, albeit curious, 13 year old.
Even now, some 10 years later, I still find myself wondering how I can take over the world but in a much different sense. My intentions with the knowledge I have gained are in no way malicious. I accept that it is not my destiny to take over the world, whether it be through the internet or other means (maybe in another life). However, the desire to learn more and continuing to question the secure protocols that make our world run is something that I will forever be fascinated with.
SmartWater is a liquid with a unique identifier linked to a particular owner. “The idea is for me to paint this stuff on my valuables as proof of ownership,” I wrote when I first learned about the idea. “I think a better idea would be for me to paint it on your valuables, and then call the police.”
Really, we can’t help it.
Heh, right again Mr. Schneier.
Now, if you tell people that your hobbies include breaking into computer networks (when given permission), planning how you would shoplift, get into the safe at your credit union or simply get a can of Coke out of the vending machine without paying for it, they tend to get a little nervous, even if you make it clear you have no intention of actually executing any of the above.
My mind often wanders into weird areas of curiosity and mostly when I am doing things that are relatively normal to other people. One of my favorite hobbies is when my girlfriend asks me to go shopping with her (she really likes to shop), I look for all the security cameras. I then ask myself how many of them are dummy cameras and then I look for the motion detectors and see if there any areas of the room that are untouched by them. Next on my list is where are the ‘employee only’ areas and how are they accessed. Truthfully, I have absolutely no intention of either stealing or breaking into the store at a later date in time, but I just can’t stop myself from wondering or from developing the perfect plan that will never be executed. In fact, I find myself playing these scenarios out in my head and beyond that, how security could be improved.
The secure mindset is interesting in the sense that it isn’t so much about creation as it is with disassembly. I often have a hard time explaining that to people. From time to time others in the open source community ask me for help with a PHP form or something similar or maybe a friend asks me to fix their computer. It’s odd telling them that you aren’t sure how to solve their problem, but once they get it solved and they need someone to break it, you’re just the guy to get in touch with.
This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don’t have to exploit the vulnerabilities you find, but if you don’t see the world that way, you’ll never notice most security problems.
Despite what people may think up to this point, I am really not a criminal (seriously), but I believe my greatest tool as a security practicioner, beyond any software or somputer, is having a somewhat criminal mind. I’d also like to say that it is that criminal mind that made my parents very nervous for quite some time.
The lack of a security mindset explains a lot of bad security out there: voting machines, electronic payment cards, medical devices, ID cards, internet protocols. The designers are so busy making these systems work that they don’t stop to notice how they might fail or be made to fail, and then how those failures might be exploited. Teaching designers a security mindset will go a long way toward making future technological systems more secure.
That part’s obvious, but I think the security mindset is beneficial in many more ways. If people can learn how to think outside their narrow focus and see a bigger picture, whether in technology or politics or their everyday lives, they’ll be more sophisticated consumers, more skeptical citizens, less gullible people.
On a final note, being as involved with the security community as I am, a lot of beginners often ask me, “how can I become a great hacker” or “can you teach me how to hack?”
I’ve often speculated about how much of this is innate, and how much is teachable. In general, I think it’s a particular way of looking at the world, and that it’s far easier to teach someone domain expertise — cryptography or software security or safecracking or document forgery — than it is to teach someone a security mindset.
This is often the hardest part to get people to understand. You do not simply just learn to hack. You learn to discover everything there is to know about these technologies. It’s not like you reach a point where you can access any private system at the drop of a hat or there is a well known exploit floating around for NASA databases. I like the quote, “don’t learn to hack, hack to learn,” it sums up the philosophy behind hacking pretty nicely.
Now, by no means do I encourage anyone to break into private systems and destroy data or rob a retail store (or any store for that matter) but in order to be an effective security professional, one who is one step ahead of the criminals, you cannot distance yourself from the criminal mindset.
In short, never stop learning, security is a continuing process not a state of being and lastly, be proud of what you have learned, even it makes other people nervous.
If you are interested in reading Bruce Schneier’s Wired editorial in its entirety, it can be found here.
Leave a Reply