Schneier on Security
A blog covering security and security technology.
« Degree Plans of the Future |
| Friday Squid Blogging: Giant School of Squid »
July 15, 2011
Interview in Infosecurity Magazine
I think I gave this interview at the RSA Conference in February.
Posted on July 15, 2011 at 2:33 PM
• 36 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
You need to register in order to read the article...
Or you can use a login from bugmenot.com:
Thanks for the bugmenot.com tip!
@ Bug Me Not:
No offense to Bruce -- much was known, but the early education/early job history was new to me -- but as David said, the tip was the best!
Off-topic: Another piece on how successful the TSA is in preventing breaches:
Report: 25,000 Security Breaches at U.S. Airports Since November 2001
"More than 14,000 of those infractions were people entering 'limited-access' areas, while another 6,000 incidents included travelers who made it through security checkpoints without being properly screened."
"the breaches represent a miniscule fraction (just 1%) of the 5.5 billion air travelers who have used U.S. airports in the past 10 years. He also added that the term 'breach' can mean a number of things and that 'many of of these instances were thwarted or discovered in the act.'"
"The most recent incident occurred when a cleaning employee discovered a stun gun on a JetBlue plane that had landed in Newark, having flown from Boston."
So one percent of the time you can breach airport security - if you're NOT a committed, competent terrorist, just some moron who made a mistake and took your pen knife on the plane or stumbled into a secure area (and spent your time racing wheelchairs and going into am unsecured airport restaurant for a Slurpie like those other guys did.)
So here's the real question: How many times has committed, motivated, competent terrorists tried to penetrate security - and succeeded?
Which means these breaches - and the other 5.5 billion passengers - are completely irrelevant to whether TSA security is adequate to do what it is supposed to do - prevent an actual terrorist attack on an airplane.
@ Bruce Schneier
Interesting job history. The interviewer's near religious zeal clearly marks him as one of the "Cult of Schneier," as Viega calls it. So much for objectivity. It's fortunate that he at least made some good observations & quotes, like we're part criminal. This near psychopathic obsession with finding ways to subvert systems is something normal people are never truly comfortable with. But, like I tell them, judge a man by the results of his actions, not his intent. Intent doesn't pay the bills, keep hackers out, etc.
I also liked how Brian Snow had your back. I first stumbled upon him reading his "We Need Assurance" paper & now a decent quote shattering corporate viewpoints. I plan to meet him someday. I bet he'd have some great insights into various designs or security schemes due to his background.
@ Nick P.:
"like we're part criminal."
I think you're being too hard on the "security mentality". In many crimes (those that are "mala in se" vs. "mala prohibida"), intent is a vital element of conviction. I've mentioned before seeing someone's vehicle headlights left on in a parking lot in broad daylight. The door was unlocked, so I opened it and shut off the headlights, saving the owner a dead battery.
I would never be convicted, or even arrested, so long as I didn't help myself to anything inside the vehicle. There was a "breaking and entering", true, but not with intent to commit a crime. Here's a typical State Statute on burglary:
1. Entering a dwelling, a structure, or a conveyance with the intent to commit an offense therein..."
So, Bruce and you and I and all others with security mentality are not //at all// criminal, unless we act criminally.
Long before I had heard of Bruce, when the TSA screening first started, I amused myself while waiting in line by thinking of ways that potential means of attack could be smuggled in. It was easy - there were many. And no, I'm not going to name any. But since I wasn't connected to TSA or anyone relevant, I kept it to myself.
Those who use this thinking to anticipate attacks and come up with proactive measures to prevent them are not in the least bit "part criminal". Hope this restores your self-esteem, Bro. ;-D
@ tommy on Security Mindset vs Psychopathy
"I think you're being too hard on the "security mentality"."
"intent is a vital element of conviction"
Indeed. In many cases, a particular act might not be criminal. However, I think of it as criminal because of how it similar in so many ways, including intent in many cases. Particularly, I personally think someone born with the gift Bruce and I have is similar to a psychopath in some ways with regard to thinking style, although the differences make us constructive, good members of society instead of... you know. ;) Here's a few traits of a psychopath:
1. Repeatedly devise strategies to harm or game others for fun and profit.
2. Feel no guilt for their actions
3. Lack empathy
5. Repeated violations of social norms
6. Disregard for the law
I was using the Hare Psychopathy Checklist. I left out "shallow emotions" because it was irrelevant and "history of victimization" because that's covered by 1. So, here's some traits of someone with the security mindset going almost obsessively. (I can't speak for Bruce, but mine is on unless I'm totally relaxing & being sociable.)
1. Repeatedly devise strategies to harm and game others for fun and profit.
2. Feel no guilt for those actions, although we feel guilt in general.
3. Lack empathy for targets or organizations practicing insecurity.
4. Many are egomaniacs, although many are reasonable.
5. Repeated violations of social norms. (Almost by definition).
6. Partial disregard for the law. (More than most people)
So, in my view, a person fully going through the security mindset has to think much like a psychopath, although we try not to act like one. I mean, I might loose a lot of sleep if I ever executed a few of my plans. Too many people would get hurt. :(
No. 1 is one of the most important: we mainly do this for fun. It excites us. Coldfire, one of Britain's best hackers of the old days, once said "it's like the greatest crossword puzzle ever, except the game keeps changing & forces you to keep changing." After a while of fun, we notice there's money to be made doing it. So, we constantly try to game the system because it's fun and profitable. "Doing the right thing" or "making the system better" is just secondary to the primary reasons most people game the system.
Another hacker interviewed in that same show agreed (paraphrasing): "People often say they hack into systems because they hate (problem) & they are fighting it. Or they are trying to show people their weaknesses. That's utter bullshit. They know that, at the end of the day, they hacked into all those systems because hacking into computers is fun. Then, they try to rationalize it. But that's BS & they know it." I won't fool myself. I was born to do this stuff. I just try to do it in a way that causes no harm, is fun, is productive and *maybe* benefits society.
"Hope this restores your self-esteem, Bro. ;-D "
It did. It reminded me why we're different and why we usually win. I don't mind being similar to criminals because, at the end of the day, crime is just a definition on paper. What matters to me is staying free & livin it up without messing up other people in the process. Proper application of the security mindset can accomplish this, with improper application leading to devastation. It's all about making a choice.
Being "part criminal" (and having the record to prove it, although I prefer the terms "anarchist" or "radical Transhumanist"), I don't have any self-esteem to wound... :-)
I think it's more having an "engineering viewpoint" than a destructive viewpoint. In other words, we have a tendency to respect tools - whether they be guns or computers - and disrespect stuff that doesn't work right - which is pretty much everything humans make.
As Woody Allen said, summing up the human condition in five words: "Nothing works and nobody cares."
This makes my work as a PC tech incredibly frustrating, since almost all of the time I'm not building something. Instead I'm working with incredibly brain dead hardware and software that continually throws up road blocks to getting anything done.
But this also applies to how I view how society, politics, finance, you name it, works. I got motivated to start studying US foreign policy back in 2003 when it was clear there was going to be another war.
I started out being interested in how the war in Iraq was going to go, being something of a military buff (weapons are tools, right?) So I discovered iraqwar.com, a site where the owners had connections to the Russian GRU. So the reports there on how the war was going differed from the stuff you got on the US mainstream media.
When Saddam fell, I instantly predicted that there would be a guerrilla war that would end up kicking out the US. That pretty went as predicted (and isn't over yet).
Then I started following other sites related to the wars and foreign policy, such as antiwar.com. It didn't take long to get clued in on the basic issue with US behavior in the world, the motivations behind it (money and hegemony).
I already had a good knowledge of the history and nature of terrorism, insurgency and guerrilla war, so it was even easier to see through the BS coming out of Washington with regard to Iraq and Afghanistan.
And since Iran seemed to be the next target, I studied up on their "nuclear weapons program" and discovered, as usual, that it was "Iraq WMD" all over again.
So basically it isn't that we're "part criminal" - that we basically have some sort of malicious intent against other people by nature (although I'm sure some of the characters in the security industry do). It's that from an engineering standpoint we don't take things at face value, and from experience we know that things don't work as well as people think.
We basically deal with reality rather than belief systems because of our focus on how things work.
And when you deal with reality, you're immediately out of step with ninety eight percent of the world population. And THAT'S how you get perceived as being "part criminal".
@ Nick P.: (RSH, don't go away):
I'd like to draw further distinctions, based on your checklist.
1. Repeatedly devise strategies to harm or game others for fun and profit
Former POTUS Jimmy Carter once said that anyone who has looked on a woman with lust has already committed adultery in his heart. By that standard, everyone over the age of 12 with a Y chromosome is guilty of adultery. (For gay men, substitute "looked on a man".) But that's a religious or moral judgment. If we could be arrested for our thoughts, all of us, male and female, would be in jail, including the cops, DAs, Judges, and I guess the jail guards would have to join us.
Short version: Devising ideas doesn't make you a psychopath or a criminal. Executing them does.
2. Feel no guilt for their actions: "I mean, I might loose a lot of sleep if I ever executed a few of my plans. Too many people would get hurt. :( "
Sorry, Nick, that is the definition of "feeling guilt". Again, there is no need to feel (legally) guilty for your /thoughts/, and it appears that you do consider consequences to the victim, empathize, and that deters you.
3. Lack empathy for targets or organizations practicing insecurity.
Here, we differ. You know better. Some don't. Security is (obviously) not a significant part of a CSci or IT curriculum; it has low value in the marketplace, and hence, to employers; the IT execs don't know it, and if they did, they couldn't sell it to the bean-counters. I sympathize with the ignorant and empathize with those shouting themselves blue at a CFO who figures that the net uninsured losses will be less than the cost of implementing security, maintenance, training, customer inconvenience, etc. I wouldn't want that IT admin's job.
Besides, as noted in (2), that loss of sleep shows empathy.
4. Egocentricity. No argument. Including, of course, the guy who wrote the checklist. (PWNED!) History's greatest achievers, for both good and evil, have often been egocentric. Some great men and women have retained humility, of course, and so have some crooks (more on that in a moment.) It's not the trait, it's what you do, and what feeds your ego. If it's pulling off the greatest heist in history, that's one thing. If it's finding a cure-all for cancer, I'll forgive that person all the ego s/he wants. ;)
5. Repeated violations of social norms ... Way too broad. Bruce's book seems like this is a main topic. Socrates and Galileo violated the social norms of the time. So did Abolitionists, first in the North, then in the South. When the social norm is evil or tyrannical, or even overly micro-managing our private lives, those who think independently and have integrity will choose their own norms. (I think I hear RS Hack applauding... ;)
6. Disregard for the law ... Same as above. If the law allows slavery.... Or forbids adults to consume alcohol, screw the law, as many non-psychopaths did during Prohibition. The psychopath disregards laws that truly serve all people, such as laws against murder and rape and mayhem. Was Thoreau a psycho? He violated law and social norms, but willingly sat in jail rather than violate his conscience.
"I left out ... "history of victimization" because that's covered by 1.
Without even looking at the source, I would hazard that he meant that psychos themselves had a history of being victimized (abused). Most sex offenders were sexually abused children themselves. Serial rapist/killer Ted Bundy's mother was a prostitute; he got to see a dozen men a day come and go (so to speak!), which is pretty brutal to a young boy. Everyone's favorite psycho (not Norman Bates ;), Hitler, was regularly beaten by his father, according to many sources. It's not hard to see how this victimization creates both a legacy of anger and an inability to empathize, as their tormentors did not empathize with them.
It may be this very feeling of powerlessness, rather than egocentricity, that motivates the psycho to try to achieve feelings of power and control.
In short, "think much like a psychopath, although we try not to act like one."
And not acting like one makes all the difference in the world.
Sorry, man, I just don't buy that the security mindset makes us at all similar to psychos. However, I wholeheartedly agree that trying to /think like/ your attacker, be he hacker, enemy army, bank robber, whatever, helps devise effective counter-strategies.
But in your own case, "unless I'm totally relaxing & being sociable. ... Repeatedly devise strategies to harm and game others for fun and profit." Yeah, if it's that obsessive, you need to take up tennis or knitting, or go for a walk. :)
Seriously, if you then think up counter-strategies that lead to high-assurance solutions, your obsessiveness is as beneficial as Edison trying 900 light-bulb filaments and saying, "Now we know 900 things that don't work." But if you're instead relishing the thought, and it's detracting from life and positive accomplishments -- meditation, medication, love, therapy...
"we mainly do this for fun. It excites us. Coldfire, one of Britain's best hackers of the old days, once said "it's like the greatest crossword puzzle ever,"
Highly-intelligent people get bored easily and need constant mental stimulation. They are more likely to be diagnosed with ADD. (I think my doctor once said I had ADD, but I wasn't really listening at the time.) I read of an ADD patient who presented with the following addictions: crossword puzzles, cocaine, and p*rnography (still worried about the auto-filters). What do all three of these have *in common*? Mental stimulation.
Why did I chop my Windows folder from 4 GB to 175 MB? At first, to make FDI backups faster and less bulky. But it became a mental challenge, a game, just as you said, and I took it waaay beyond the original goal. Which was a huge learning experience, and a huge reduction in attack surface. Win-win-win(dows).
"I won't fool myself. I was born to do this stuff. I just try to do it in a way that causes no harm, is fun, is productive and *maybe* benefits society."
The ancient Greeks would be proud that you "know thyself". And I'm with you, though perhaps not to the same degree. There may be a thin line between genius and insanity, but so long as you "primum non nocere" (do no harm) and produce security solutions for a world desperately in need of them, you're not a psycho, but a benefactor of humanity.
(steps down from pulpit.;)
@ Richard Steven Hack:
"I don't have any self-esteem to wound... :-)" LOL! +1 for knowing thyself, too!
"I think it's more having an "engineering viewpoint" than a destructive viewpoint. In other words, we have a tendency to respect tools - whether they be guns or computers - and disrespect stuff that doesn't work right - which is pretty much everything humans make."
You're up to +5 and climbing... I went to make a simple online funds xfr for an elderly, non-Net-able relative, and practically screamed trying to navigate the hidden mouseover menus with their non-descriptive names, sub-menus, etc. Whatever happened to a simple HTML link, "Transfer money"?
"As Woody Allen said, summing up the human condition in five words: "Nothing works and nobody cares."
It's been an unusually bad week for moi, but yeah, that's exactly how it seems to work. It's also why jobs get outsourced to hungry nations like India -- some of them still care. (Allen should talk? Incestual child molester.)
"So basically it isn't that we're "part criminal" - that we basically have some sort of malicious intent against other people by nature..."
Actually, evolutionarily, we do. A stranger approaches. Friend or foe? He'll help you hunt the tiger and divide up the meat, or he'll kill you and take your woman? Maybe you should kill him and take his family, food, and land... The effort to make us feel safe with strangers and be safe toward them is called "civilization". Results to date have been mixed.
"We basically deal with reality rather than belief systems because of our focus on how things work. And when you deal with reality, you're immediately out of step with ninety eight percent of the world population."
And that is why the world is in the mess it's in - because of those 98% who stubbornly cling to wishful thinking vs. reality.
Congratulations! Just hit +10!
"A Boy Named Sue" - Johnny Cash
"Life Ain't Easy With A High IQ" -- tommy
+5 for the length 8)
I shall soon have to ceed my crown ;)
"... is guilty of adultery.... ...But that's a religious or moral judgment. If we could be arrested for our thoughts, all of us, male and female, would be in jail..."
Firstly you need to seperate lust / sex from the false imposition of ownership by marrage for gain / political position.
With regards sex it's not realy a "religious" or "moral" judgment, but it is very much seen as that for political reasons.
A look a pre medieval history will show that the churches real interest in marriage was about the transfer of property and status and thus for "political union" of those in power.
Some scholars actualy argue that "virgin" as in "virgin mary" does not mean what it currently means, and actuall ment "a woman who had not had children". (on a side note in medieval times women kept their ears covered because they where considered to be sex organs in that "mary concieved through the word...").
For commoners marriage was almost unknown in the formal sense, a daughter would often be given away by way of establishing family ties, or shuffled off to whomever she identified as being the father of her soon to be child. If the prospective father refused then the child would be raised by the mother and her family. Much of this had to do with things like the rights of spring and other festivals where even an "old maid" would get the chance to become a mother.
Two things changed the "Churches" view, venerial disease and as people turned from the land to comerce the trend towards "middle class" where an expectant mother would be rejected by her family and the Church was expected to "bring up the child in the name of God". Thus the chalenge to the Churches purse strings of caring for the diseased and illegitimate forced them to push marriages onto those with position and status down to even farmers (free men with land) and tenant farm labourers (serfs etc).
The Church quickly discovered that the "moral" prohibition on sex had other very desirable features in that enabled control of the populous.
Which is still true today. When you look at nations undergoing the break away from their current political over lords the increase in sex outside of formal relationships is a good indicator that those incharge are not respected by the populous any longer and thus political change is in the wind.
Though what that change is in a democratic country we have yet to see, we do know that in certain countries less and less people vote and have so little interest in who is supposadly running their local municipalitie or state / country, they canot either name the person or the party or where they fall on the political spectrum.
This is one of my first visits to your blog, this interview brought me back. The portion about a security person's brain subverting or deconstructing particular defenses really resonated with me.
I am 23 and have been studying mathematics with a computer science focus and really struggling with what to do once I've graduated. This description fit my mind perfectly, my mind is constantly turning over ideas and concepts about taking things apart, watching the way people set things up and move around, thinking of ways to get around them and take things apart. Now I don't act on the ideas, of course. I just find it a fun little mental exercise (yes it WOULD be incredibly easy to get into that room that contains the safe, every two minute or so everyone walks away from it, and if you stand in this spot right *here* it is a total camera bind spot, etc).
I guess I had thought that I might enjoy a job in security in the past, my favorite mathematics class so far as been crypto and information security, and my favorite comp-class was a computer architecture course where we practiced very basic reverse-engineering to determine the concept and execution of a set of machine code, and figured out the most creative way to stop it from operating correctly.
Until this moment, however, I hadn't really connected all the dots and actually thought to actively pursue a security-based career.
I suppose I'm not sure what to look for when it comes to entry-level security jobs. Are there certifications that are required / recommended? Where should I begin looking?
Today I've started reading through your links and brief thoughts, and let me say thanks! These articles and ideas are incredibly fascinating. I'll be back!
@Richard Steven Hack: "the breaches represent a miniscule fraction (just 1%) of the 5.5 billion air travelers who have used U.S. airports in the past 10 years."
So one percent of the time you can breach airport security
Actually, 25,000 of 5.5 billion is 0.0005%, not one percent. It's roughly 1 in every 200,000. If a terrorist is lucky enough to exploit that, he shouldn't be a terrorist, he should be buying lottery tickets or frequenting vegas.
"I'd like to draw further distinctions, based on your checklist. "
I appreciate the feedback as always.
"Former POTUS Jimmy Carter once said that anyone who has looked on a woman with lust has already committed adultery in his heart. By that standard, everyone over the age of 12 with a Y chromosome is guilty of adultery."
This isn't an appropriate comparison. The sex drive is raw human nature & benefits society. Seeing a beautiful woman and having sexual thoughts is natural, acting on them good or bad. Looking at a beneficial piece of technology or society & immediately seeing ways to break it is very different.
"Devising ideas doesn't make you a psychopath or a criminal. Executing them does. "
I agree. My claim is that how we think under the security mindset is similar to how psychopaths think. That's the extent of the comparison.
"Sorry, Nick, that is the definition of "feeling guilt".
They feel no guilt for both thinking of how to do it and executing it. That's indeed much more serious. However, we feel no guilt for thinking and speaking of the ways to do damage. I've noticed that the majority of people get frightened or uncomfortable when I talk about weaknesses spontaneously. They act like there's something wrong with me for even saying it. My friends in the business often get the same reaction. So, we usually follow up such a comment with a brief description of what we do & its benefit, which relaxes them. Criminals are never bothered by any of my statements, even excited. That's what I'm referring to & I understand that "doesn't feel guilt" wasn't an adequate description of a complex issue. My bad.
"3. Lack empathy for targets or organizations practicing insecurity."
"it has low value in the marketplace, and hence, to employers; the IT execs don't know it, and if they did, they couldn't sell it to the bean-counters"
Most pen testers that hit organizations will exploit the people and systems to accomplish their job without stopping from concern for those they target. They just reduce damage mainly to reduce liability. Many pentesters would love to give a big show that wakes people up, even though it would hurt them. So, there's a question of how much empathy, if any, many of these people feel for their targets. Some might do this because they believe it benefits the targets overall, but many would do it just because it's a fun power trip.
The apathy toward security certainly reduces empathy, especially in my case. It's hard for me to care about giving them headaches during a test when I read things like the Firesheep facebook story. I guess I don't care because they don't care. I can't speak for the others' motivations. I do, however, care about those who do what they can.
"4. Egocentricity. No argument. Including, of course, the guy who wrote the checklist. (PWNED!) "
LMAO. So true...
"Repeat violations of social norms... Way too broad."
It's actually not. Remember that some of these traits, by themselves, may be positive. The psychopathic thinking style is a combination of many. (They don't actually have to have every trait, just most.) To clarify why this is an issue & not like revolutions of the past, you just have to notice one thing: the security mindset resists both good and bad social norms. It finds flaws in *everything*. It doesn't consider the benefits of its potential target & always attacks the status quo. Of course, a key differentiator is, as you said, we don't always act on our thoughts or obsessively follow them for a single target. This prevents the destruction of society by people with this talent, but that we're always thinking of ways to undermine it says something.
"Disregard for the law. Same as above. If the law allows slavery.... Or forbids adults to consume alcohol..."
Like violations of social norms, I've always considered this one to be a weak part of the diagnosis. I have no respect for the law: I merely follow it most of the time to avoid punishment. Many others share this view. I guess the differentiator is that criminals break serious laws more consistently than most members of society. And these might be laws that mostly benefit society. People with the security mindset are more likely to do the same. Again, this is one of the minor parts of my analysis, but no stone must be left unturned.
"Without even looking at the source, I would hazard that he meant that psychos themselves had a history of being victimized (abused). "
I don't know how it was lost on me. Must have missed the obvious in my hasty review. Yes, that's certainly what the item meant & is probably true for many real psychopaths. So, how could it apply to the current establishment? Perhaps, the security mindset forms because of how society's mechanisms victimize the individual, with the mindset allowing increased liberty & protection. Something tells me the answer to this part will be in Bruce's next book, so I'll save it. ;) As for Hitler, most people don't know that his Christian beliefs & zeal inspired his anti-Semitism. Mainstream Christian publishers have tried to hide this, claiming he was an occultist, but even his own book [that nobody is supposed to read] tells the truth. Here's a nice link for you:
It appears that parental abuse might have started it, the Germanic Christian teachings empowered it, and then the resulting psychosis subverted the Christian churches in Germany to push a much darker religion: Nazi doctrine.
"Sorry, man, I just don't buy that the security mindset makes us at all similar to psychos."
Remember, I'm not saying it makes us psycho's or nearly as bad: just similarities in the thinking style. I'm nothing like a psychopath in practice. Moreover, I'd probably beat one to a pulp if I was lucky enough to catch them in the act. So far unlucky... :(
"Seriously, if you then think up counter-strategies that lead to high-assurance solutions, your obsessiveness is as beneficial as Edison trying 900 light-bulb filaments"
You're underestimating him. He actually tried at least three THOUSAND attempts, with some people saying it could have been near ten. Most sources say over three thousand, though. And, yes, such obsessiveness can pay off if applied toward solving a useful problem. And, yes, it could be said that my focus on security is about as obsessive as Edison working on light bulbs. Time will tell if this is a good or bad thing.
"There may be a thin line between genius and insanity, but so long as you "primum non nocere" (do no harm) and produce security solutions for a world desperately in need of them, you're not a psycho, but a benefactor of humanity. "
Again, never claimed we're psycho's. And I totally agree with your statement. Thanks again for your insightful reply. :)
@ Nick on july 18, 2011
"This is one of my first visits to your blog, this interview brought me back"
Welcome! I'd strongly recommend you click on the links to his archives over the past years, copying links that look useful into a text file. Then, go back, prioritize them and look at them. There's been a ton of good insight on this blog over the past few years. One neat thing, though, is that most of the best insight is in the discussions that take place in the comment's section. Many bright people seem to post here, some throwing out essays worth of content. *cough* Clive *cough* Although, you probably wont get a reply if you post to archive threads due to lack of a good notification system.
"This description fit my mind perfectly, my mind is constantly turning over ideas and concepts about taking things apart"
Sound like a true hacker in the old school meaning of the word. Yes, you have some potential. ;)
"Until this moment, however, I hadn't really connected all the dots and actually thought to actively pursue a security-based career."
DON'T! I swear it's not what you think it will be. If I could have done things differently, I wouldn't have taken up an IT security job: I'd have been an anasthesiologist or something and done security assessments as a hobby. Most of my best work is still done as a hobby. Let me explain why a security "job" isn't usually as fun as applying the security mindset.
First, security is considered discretionary, gets little budget, is hard to sell, and has high layoff potential. Second, most users don't care about security, are unwilling to follow security admins advice, or are forced to ignore security due to higher priority performance requirements. Third, most of the security investments companies make are boring, mundane jobs like firewall configuration or log auditing. Fourth, companies often refuse to take a different approach even if it's empirically proven to improve security/quality at a LOWER cost. It sounds crazy, but it's true.
An example from the old days was getting companies to switch from C/C++ to Java for business apps. At that point, Java was mature, more productive, and eliminated many classes of vulnerabilities & bugs by design. It took them forever to get on the bandwagon & used managed languages, even though the benefits were real. Cleanroom software methodology is another example. Empirical studies show it usually produces low-defect software faster than traditional approaches in a very cost-effective way. Studies even show that first-time users of the methodology often achieve a very low defect rate on their *first* set of code sent for review. Even shown the evidence & cost advantages, companies usually refuse to adopt it.
So, if you take a security job, you will be constantly fighting a battle with management, users and vendors. It's a loosing battle with a few victories here and there. It's not worth it. With your engineering background, you could be having a lot more fun designing cool or high quality embedded products.
Now, all that said, you've got the itch and you want to scratch it. Hacking things, finding problems, fixing things, etc. are fun & you want more. I say take it up as a hobby. Although not profitable, you have freedom to apply whatever idea you want whenever you want. Hackaday.com, Engadget, SourceForge, and the steady stream of academic papers on CiteseerX should give you inspiration & opportunities to contribute. (If your college offers access, you can get tons of good papers on high assurance & security engineering from IEEE, ACM & Springerlink. Best of them were in the mid-80's to mid-90's.)
Just stay out of the industry and keep with the spirit. ;)
I'm not buying into the "part criminal" thing. All of us are able to use our skills, knowledge and experience for either good or wrong. The smartest learn to approach issues from more than one perspective, which is what differentiates them from lesser gods. Whether a science or technology is being used for better or for worse, like beauty, is only in the eye of the beholder.
Go with Nick P's advice. If you're not convinced, learn to play at least one instrument. It will become your best friend, especially in those times that when looking into the mirror all you can hear is the sound of "The Fool on the Hill" by The Beatles.
@ Nick (not Nick P.; thoughtful reply to you and Clive will take more time, as always):
Welcome to the best think-tank on the blogosphere! Yes, the free exchange of ideas here, by those with great minds and also by me ;-D, far exceeds the usual blog or forum. You've a treasure trove in store, and what Dirk Praet said: Nick P. is an excellent source of advice, because he's been there, done that, gotten the T-shirts ripped off his back.
I'm not a security or IT pro, but rather have a background in economics, and pursue ITsec as a hobby, as Nick P. said. Unfortunately, in the current economic climate in the US, working in the financial field isn't any better than working in the security field. :-(
But so long as I'm posting, at least you know that the cable bill has been paid! :) (or I'm war-driving the numerous unsecured networks in the area -- does that make me a psycho? :-O )
Enjoy, and GL in whichever path you take.
"not Nick P.; thoughtful reply to you and Clive will take more time, as always"
That's fine as always. My lengthy replies take about 10-30 minutes. Just whenever you have the time. ;)
"(or I'm war-driving the numerous unsecured networks in the area -- does that make me a psycho? :-O )"
Nah, just a criminal at worst. I find a collection of WiFi hotspots can be handy when real privacy is required. Much more trustworthy than Tor...
HJohn: Got the 1% from the article, so they can't count either. :-)
But my point is that the relative size of the figure isn't relevant. If it's only one in a billion, it's still a a failure - because the other billions AREN'T TRYING. If you TRY to penetrate security, the odds go way up.
And it's the people TRYING to penetrate security that are the point of the exercise. You can't judge how effective your security is based on all the people who DIDN'T try. Which is what the TSA is saying.
The main point of the 25,000 breaches is that if people who AREN'T trying can breach the system that many times, then someone who IS trying has a much better chance.
In fact, the issue isn't even one of chance or probability. That is the basis of the entire TSA program - chance. In reality, the issue is whether the system can be defeated by someone. And we all know that probability is MUCH higher. In fact, it's almost a certainty.
Because the TSA system is by definition set up to defeat someone who is relying on chance. Someone who ISN'T relying on chance but relying on finding and exploiting other weaknesses in airport security will find them. And aside from his plan being foiled by pure chance (things do happen to screw up the best laid plans), he will likely succeed. And his likelihood of succeeding will be far higher than if he played the TSA's game of chance.
Tommy: Thanks for the +10. I'm usually more around a negative five in appreciation on the blogs I frequent. Assuming I'm not already banned. :-)
@ Clive Robinson; Nick P.; Richard Steven Hack
(serial, not parallel, but posting three in a row feels like "flooding):
Rest assured that I have no desire to stage a coup. ;) And your grip on The Crown is further solidified by using 7 or 8 paragraphs to pick apart a two-line attempt at an analogy -- apparently a bad analogy, in His Majesty's judgment. ;-D ... Perhaps a different analogy will please The King: We observe that a cashier turns her back to get something from the shelf while the register drawer is open. We immediately realize how easy it would be to grab cash and run. But we don't. That's the Δ between us and criminals.
Or, more sophisticated, devise a strategy to distract the cashier while we loot the place. This actually happened in the US recently. Two men hauled all kinds of goodies out of the store, while their female accomplice walked around within the cashier's field of view while wearing nothing but panties made out of dental floss. The crooks could have hauled off the entire refrigerated cases and not been spotted...
Still, there is much value in your treatise, as always. The one point missed was the Darwinian advantage to the Catholic Church's ban on birth control: Devout Catholics would soon out-reproduce all cultures and religions in which birth control was acceptable.
"Some scholars actualy argue that "virgin" as in "virgin mary" does not mean what it currently means, and actuall ment "a woman who had not had children"."
I've long been aware of the issue. Words and their meanings change over time, and the Bible has also gone through multiple languages: Ancient Hebrew, Aramaic, Greek, Latin, >>> King James English, modern English for some. The issue is that the Hebrew word that is translated as "virgin" in the famous prophecy, "A virgin shall conceive", was also used to mean any young, presumably unmarried, woman. So the "virgin birth/Immaculate Conception" would go down the drain, and with it, a lot of religious sects.
@ Nick P.: I've confessed to His Royal Lengthiness that the analogy was poorly chosen. The cashier rip-offs described there were probably better.
"I've noticed that the majority of people get frightened or uncomfortable when I talk about weaknesses spontaneously. They act like there's something wrong with me for even saying it. My friends in the business often get the same reaction."
We all like to believe in security theater, because it makes us comfortable. You're telling them that the Emperor has no clothes, and no one likes to be disillusioned, much less frightened that they are not secure. The like even less the implication: That they have to *do something* about it. As RSH said, we live in the real world; 98% live in a fantasy that provides a comfort zone.
"It's hard for me to care about giving them headaches during a test when I read things like the Firesheep facebook story. I guess I don't care because they don't care. I can't speak for the others' motivations. I do, however, care about those who do what they can."
Agreed. Unfortunately, technology has evolved beyond the ability of the average person to understand it. It's not that the Facebook people don't care; it's that they don't know. And FB certainly doesn't tell them, nor require them to complete a study course before joining. ;) They gain commercial value from users' ignorance. Unfortunately, so can thieves. (Actually, FB itself is a thief, but that's another topic and long discussion.)
You don't need to know how a refrigerator or a washing machine works; you need know only how to use the controls. Invisible demons don't lurk inside. I have great sympathy for non-tech users, and considerable empathy, precisely /because/ I was one at first. Those with M.S.C.S or other formal education, training, and experience may not be able to empathize quite as well. I have another analogy in my back pocket if need, but I hope that one works.
"I have no respect for the law: I merely follow it most of the time to avoid punishment."
So, we'd better not ever meet F2F, because if I p*ss you off, you might kill me, except for the fear of punishment? Scary .... (LMAO). I'm hoping you're generalizing way too much, and that you truly don't kill and rape because you believe that it's wrong to do so, rather than for fear of being caught. As far as other laws that attempt to micromanage our lives (laws against drugs, prostitution, gambling, some ridiculously low speed limits, various bedroom activities between consenting adults, etc. ad infinitum), it's not psychopathic to resent or break those; rather, it's a psychopathic Gov dictatorship that dictates (hence the word -- I *love* etymology) these things that should be our own choices.
"I guess the differentiator is that criminals break /serious/ laws more consistently than most members of society. And these might be laws that mostly benefit society." (my emphasis). Yep.
"People with the security mindset are more likely to do the same."
I don't picture truly security-oriented individuals robbing banks, committing murder and rape, etc. more often than the rest of the world. Crooks study the security of a bank for the sole purpose of devising a strategy for the heist. They don't have a security mindset; they have a criminal mindset, and "security" is just one item to be looked at and planned for, along with the best getaway route, where to dump bodies, etc.
"As for Hitler, most people don't know that his Christian beliefs & zeal inspired his anti-Semitism."
Hitler was quoted as saying to his top officers that his ultimate goal was to eliminate religion altogether: People should have no idol higher than the German State itself. (and worship /him/, of course.) But he realized that saying so publicly before achieving total domination would cost him support of the majority. As it happened, he didn't last long enough to do this. I don't have a source handy, but WikiP should, for such a noteworthy observation, or Scroogle.
"I'm not saying it makes us psycho's or nearly as bad: just similarities in the thinking style. I'm nothing like a psychopath in practice. "
Ay, there's the rub. (Hamlet's famous Soliloquy, parodied many times by Your Humble Servant) This discussion was prompted by your previous post that "It's fortunate that he at least made some good observations & quotes, like we're part criminal." I don't think we're part criminal, any more than you can be a little bit pregnant. You are or you aren't. We think like the psycho or hacker -- freely and without guilt -- to help devise counter-strategies. or just to amuse ourselves. Not pregnant. If you hack (crack) or rob = pregnant.
>>>> "Edison trying 900 light-bulb filaments"
"You're underestimating him. He actually tried at least three THOUSAND attempts... “
IIRC, the famous quote about his assistant being so discouraged at zero progress, and Edison saying that they had made huge progress by finding out what doesn’t work, was made when the attempts were somewhere in the 900s. Quoted from memory; don’t know the exact number; but not important enough to look up. The point was what we both agree upon: “And, yes, such obsessiveness can pay off if applied toward solving a useful problem.”
@ Richard Steven Hack:
“Tommy: Thanks for the +10. I'm usually more around a negative five in appreciation on the blogs I frequent.”
I don’t fall for the fallacy of “argumentum ad hominem”. For our purposes here, I don’t care what your LE record is or how much time you’ve done; all that is judged is the merit of your ideas. (All true /logicians/ think that way, but most /people/ don’t.) Which is often excellent, as in our thread about how to improve online banking security, or introducing the “engineering mentality” here when no one else had, and it was only “security mentality vs. psychopathic mentality”.
Also, I share a number of your beliefs and philosophies (certainly not all of them), even if I might disapprove of your (past?) methods. And I can empathize with the frustration and anger at a world of corrupt and power-hungry governments, US included. As noted in the US Declaration of Independence,
“We hold these truths to be self-evident, .... That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. ...”
You’re open and honest about your past and about your way of thinking. Which means that you add a valuable new perspective here: Nick P. and I seem to agree that we might think as a criminal or psychopath would think, but not put that into action; therefore, I proposed that security mindset does not equal psychopathic mindset. (Why doesn't the "does not equal" symbol work here? I tried, but it came out as ?) As an admitted criminal, you bring the criminal mindset to the table, making for a larger and more diverse picnic for all. I can’t speak for anyone else here, but I respect and appreciate that.
@ Clive, The Emporer of Essay:
How many points for a post of 1562 words?
Nick P: From what I've read, the advice not to get into security comes from the standpoint of being hired by a non-security corporation. Yeah, they don't pay. But "security consultants" make money, from what I've read, charging corporations absurd hourly rates to tell them what their in-house people already know.
So to Nick (Not P): Get hired by a security organization that charges up the wazoo for "consulting". If you pick the right outfit, you'll probably make more money than being some grunt programmer or system analyst or sysadmin.
Your only problem then is the usual "chicken and egg" issue of: You can't get hired because you've got no experience (and in security experience is a big deal) and you can't get experience until you get hired. The only solution to that is hack on your own - and stay out of jail - until you can demonstrate experience. Certifications are nice but ultimately irrelevant; demonstrated ability is what counts.
And then the problem is a lot of security organizations won't hire real hackers - although it's in dispute whether that's really true or just their public face while hiring hackers under the table. Seems to be quite a few ex-felon hackers are still working in computer security whether the industry likes it or not.
Or maybe they're distinguishing between the hackers who get caught and the ones who don't. That makes SOME sense: If you got caught, maybe you're not that good. :-)
And given how crooked many of the security industry people seem to be (looking at HBGary Federal here), it's hypocrisy at best.
Alternatively, just learn to hack on your own and join the rest of the hackers who are getting well paid for breaking into places and selling the information. If one believes in "no more secrets", this is probably the most honest way to do hacking for money. It's better than spamming, selling malware, running botnets, or overselling "consulting" moonshine to the government or corrupt corporations at the public's expense. It's what I intend to do at some point.
"Devout Catholics would soon out-reproduce all cultures and religions in which birth control was acceptable."
As immortalised in the legendary Monty Python song "Every sperm is sacred".
@ Dirk Praet:
LMAO! Forgot about that one! ... I can't tell you how much blasphemy I must have committed over the years. (Blaspermy? heh!)
"Imagine" - John Lennon
"In Vagin' " - tommy - has some sperm refs.
"Clive, The Emporer of Essay How many points for a post of 1562 words"
Hmm I'm not sure but m'publisher offeres half a groat per word ;)
Which brings me back neatly to your other comment,
"The Crown is further solidified by using 7 or 8 paragraphs to pick apart a two-line attempt at an analogy"
Have you ever written a book?
It was once pointed out to me whilst doing so that one way was to write about twenty pages for the domain expert and then expand them to two or three hundred pages for those starting out in the domain.
I guess we should ask Bruce what his underlying method(s) are, though from a personal point of view I think his style has changed a lot over the years.
Tommy: "Hitler was quoted as saying to his top officers that his ultimate goal was to eliminate religion altogether"
I studied Hitler and the National Socialist movement quite closely back in my Army days, mostly because they were an effective political movement and I'm always interested in anyone who is or was effective, whether their end results are bad or not. I've read a number of biographies as well as Mein Kampf itself, which is a rather smarter piece of work than is generally admitted by reviewers who can't afford to be condoning Hitler.
Hitler frequently compared himself to Jesus and his Catholic upbringing definitely influenced his views especially vis-a-vis Jews. Of course, later his revolutionary political views colored everything more.
He had occult influences later from various people in his early adult life but was never an "occultist" himself as far as most historians can tell. There were occult influences in and around some of the Nazi factions, or precursors, as well, an outgrowth of the general rise of occultism in the late 19th and early 20th centuries.
Anti-Semitism was primarily promulgated by the Christian Church to cover up the fact that Jesus was a good Jew who had no intention of founding a new religion, let alone one that would persecute his own people in his name for the next two thousand years. It's one of the major historical jokes (and disasters), on a par with the fact that the current Israeli Jews (who are mostly Eastern Europeans who converted hundreds of years ago) are oppressing the descendants of the original Israelites who converted to Islam back in the day in the name of a "Jewish people" who never existed until the late 19th Century according to "The Invention of the Jewish People" by historian Shlomo Sand.
You can't make this stuff up! It's human history! :-)
@ Richard Steven Hack: "Got the 1% from the article, so they can't count either. :-)"
Leave it to an auditor. ;) Np, i regretted my posted a few hours later, thinking that 1% may have been used as a figure of speach.
@Richard Steven Hack: "But my point is that the relative size of the figure isn't relevant. If it's only one in a billion, it's still a a failure - because the other billions AREN'T TRYING. If you TRY to penetrate security, the odds go way up."
That's definitely a fair point.
@ Nick on July 18, 2011 9:48 AM
Others have given you the "here be dragons" reason for not getting into info sec, and by and large they are right, the price of the cherry on top of the cake is in general to high.
However let me give you a piece of advice that might not just "let you get the cake and to eat it" but as well "get the cherry on top" at no cost 8)
The first thing you need to consider is basic human nature, what is it we do all the time and will continue to want to do irrespective of anything else including the state of the economy?
Depending on how clean your mind is ;) you might have realised it's "talk" or more generaly "communicate" in some way.
The entire ICT industry is based not on logic but the communication of information.
So my first and main piece of advice is aim your career at "communications" importantly as you progress through your education remember one very very important thing...
When you send out your CV or are interviewed the one thing that sets you appart from all the other applicants is your course projects, they are without doubt more important to a goood employer than anything else you do during your education.
So do a project in whatever it is you want to do as a career. And don't be afraid to talk about it's bad point's as well as the good, a good employer is going to want to see you where not frightend to try new and original ideas and test them and then have the maturaty to select the good over the bad and explain the reasons for the choice and the testing methodology by which you arived at the choice.
Now for the cherry, the basic almost fundamental underlying principle of communications is the "Shannon Channel" it underpins all of the technology in ICT as well as InfoSec.
Thus InfoSec is a natural and very important part of "communications" thus it comes for free with a "communications" based career, and you can pick it up or drop it without any problems within a career based around communications.
Lastly and most importantly "learn the fundementals not the tools" way way to many students make the mistake of thinking "I'm a realy good X programer" where X is the latest buzz technology.
The problem is that technologies come and go in a very short order, what you need is a very very good grasp on the fundementals, then you don't get left high and dry when the technology changes.
To put it another way a baby learns to articulate phonems (the fundemental activiy) then learns one or more languages, likewise people learn to use a pencil or pen before they write a language or draw or write music.
In programming getting a real grip on ADT's especialy that of the "container" will stand you in good stead irrespective of the programing language. Old hands will tell yo programing is not about the language or the methodology but about "Data structures and the methods of manipulation". Data and meta-data are programing language agnostic, likewise the methods by which you manipulate data, meta and meta-meta data are language agnostic.
The difference between a "code cutting monkey" and an engineer or scientist using programing as a tool is the knowledge and use of the fundementals. A "code cutting monkey" might through good knowledge of the tools crank out a thousand lines of code a day, but are those lines of any real worth?
And what do the "code cutting monkeys" do when their "tool knowledge" is obscelescent because a new wonder tool with a different work methodology comes along?
The engineer or scientist generaly does not care about which tool they use, they simply use what is available to them. The code they write with it might not efficiently use the tool but their efficient use of the methods they use to manipulate the data usually offer much much greater gains.
@ Richard Steven Hack & Nick
"Nick P: From what I've read, the advice not to get into security comes from the standpoint of being hired by a non-security corporation. Yeah, they don't pay. But "security consultants" make money, from what I've read, charging corporations absurd hourly rates to tell them what their in-house people already know." (RSH)
No, I said quite the opposite. There's good money to be made doing both pentesting and security "consulting." I was telling him that most security jobs would suck in many ways. Having done the remaining ones, like consulting, I feel comfortable saying they become pretty routine & don't give me the rush I get from discussions on this blog or tinkering with systems privately. When it comes down to it, it will be just a job & mostly boring. A career designing products let's him constantly solve new problems & brag about how many things he invented. And it pays well.
Nick, like me, seems to get a rush off tinkering, hacking, and applying the security mindset. He wants more of it. He wants to see where it will lead him. I'm just saying the best way to do that is to make it a hobby. Maybe mess with open source stuff, build/strip things in his garage, etc. He'll accomplish much more that way than doing audits for companies or explaining for the 143rd time to a layperson why an antivirus app doesn't make a system "secure."
@ Clive Robinson:
"Have you ever written a book?"
Yes, but it's so far O/T to this blog that it's not worth mentioning. But your point, for technical or scientific writing, is well-taken.
"m'publisher offeres half a groat per word ;)"
I hope you're holding him to the old definition: "groat:
"medieval European coin," .... Recognized from 13c. in various nations, in 14c. it was roughly one-eighth an ounce of silver"
With silver at close to USD $40/oz, that's $5 per word, or about £3 per word. So my post is worth almost $8,000 or £5,000. ;-D
Unfortunately, I'm betting he uses the other definition: "the English groat coined 1351-2 was worth four pence." Alas! :)
@ Richard Steven Hack:
"Anti-Semitism was primarily promulgated by the Christian Church to cover up the fact that Jesus was a good Jew who had no intention of founding a new religion, let alone one that would persecute his own people in his name for the next two thousand years."
And here I thought I was the only one in the world who knew that, or at least would say so publicly.
"descendants of the original Israelites who converted to Islam"
Actually, the feud and split go back farther than that, even though Mahommet may not have shown up until some centuries after Jesus. All - Christian, Muslim, Jew -- are descended from Abraham, as told in the Bible, and in a Clive-recommended précis in the footnotes to my favorite medium of expression, satire by song parody:
"Oklahoma!" - Rodgers & Hammerstein, from the eponymous musical
"9/11" - tommy
Not so much explanation, but a lament of the tragedy of it all, here:
"Who Put The Bomp?" - Barry Mann
"Who Put The "Blam" In The Ramadan Of Islam?" - tommy
"You can't make this stuff up! It's human history! :-)"
Sure you can. "History is written by the winners". -- Who rewrite it regularly. But I get the point. ;)
Oops! You said "half a groat". Cut my numbers in half. Too busy looking it up and doing the conversion, I guess... :-(
Clive: I'll say anything publicly. That's why I get banned from forums. :-)
I got banned from Josh Marshall's Talking Points Forum for saying that if Israel didn't shape up, someone would nuke them with one of their own nukes. Since Marshall is a "closet Zionist", that was a no-no. The fanatical Zionists I was arguing weren't banned. And this was after Marshall had explicitly laid down new rules to reduce the noise on his forum that explicitly said no one would be banned without first several warnings. I got ZERO warning.
Then when I complained about this action over at HuffPo, THEY banned me!
I criticized the "Terminator: The Sarah Connor Chronicles" show second season so much on one forum I was not only banned one of the writers of the show used my name in episode 19! :-) Then I was banned from the official wiki for the show for criticizing the producer and saying the show would likely be canceled - which it was.
Nick P: Oh, yeah, all jobs suck - that's a given. That's why I work for myself - and that sucks. :-) I really need to just get in shape and marry some rich hot actress like Summer Glau. :-)
@ Richard Steven Hack:
"Clive: I'll say anything publicly. That's why I get banned from forums. :-)"
Do you possibly have Clive and me confused? ... It's easy enough. Our styles are practically identical. ;-D
@ Richard Steven Hack
"writers of the show used my name in episode 19!"
I feel compelled to watch that episode now.
"Nick P: Oh, yeah, all jobs suck - that's a given. That's why I work for myself - and that sucks. :-) I really need to just get in shape and marry some rich hot actress like Summer Glau. :-)"
Some are much worse than others. Funny that I've been thinking about the same strategy. Although, I was leaning more toward Mila Jovovich or that hispanic chick from Repo Men. They're as fun as they are beautiful. ;)
"Do you possibly have Clive and me confused? ... It's easy enough. Our styles are practically identical. ;-D "
It's getting deep in here. Real deep. I'm going to be washing off more than my shoes.
Please have some consideration for people who come to the blog to read about security, and don't want to wade through off-topic comments to find it.
You've mentioned your song parodies in 21 comments this month alone. Please don't do it anymore. You can, of course, still use the URL field to link to pages on your site.
Thank you for the nicely-phrased request. My reasoning was that those that are linked in the comment body are those that are pertinent to the topic, which would be perfectly acceptable if they were prose essays instead of parody. And satire has been recognized as a legitimate and valuable form of social critique since ancient Greece and Rome.
But it's Bruce's blog, and his and your rules, so it won't happen again in the comment field, I promise. Again, thanks for the gentle request vs. harsher language - it's much appreciated.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..