It’s been a while since I’ve posted. More news will come soon, I am sure. However, for now, I’d like to point you to a community project.
Anthony J. Stieber and I are working on a new book and, to make it the best we can, we want the story of how you got started in information security.
Please feel free to pass this link around to others (retweet it, whatever). If you now have or have had a job in InfoSec, we want to hear from you.
We’re doing this because we’re increasingly asked how to “break in” to the field of information security. Robin Wood kickstarted the process with his survey , and many of us have done the one-on-one mentoring thing. However, we feel that it’s time to draw a line in the sand and document the process “thus far”. A clear path to entering the information security field can save years of inefficient or unethical effort.
Our book uses a simple “Learn, Do, Teach” core that guides readers to become useful community members. The core idea is to learn constantly but also to contribute and later teach others and guide them through the same process.
We recognize that few careers follow direct paths. To make the book the best we can, we ask you to share your career path with the community. These short “biographies” will show how real people have broken into information security. As a thank you for helping us with this book and to contribute to the community, each author will donate 50% of the book royalties to Hackers for Charity .
If you would like to help with this project, please send to infosec.career.stories -at- gmail.com a short description of your story, or if you prefer, at your convenience we’ll do an informal interview.
Again, please forward to anyone with an information security career story.
Feel free to ask any questions you like in the comments below or contact me directly on Twitter.
I am working on a paper on the use of metaphor in the Information Security industry. While the paper isn’t out yet (still in review), I did do a preview at the Secure360 conference last month. I finally got around to prepping my recording and getting it up on YouTube. The sound quality isn’t the greatest, but I think it’s good enough.
Here’s the original description:
There is a divide between the so-called “security/technical” people and the “business” people. We’ve all heard about how we need to “speak the language of business” and “get soft skills” to succeed. However, even after decades of trying, the divide still exists. Why does it seem that we never make progress? Are we truly not improving? Is the goal receding as we chase it?
This presentation posits that we’ve been making a fundamental error in trying to explain things to people outside our field. One thing that people-oriented people do naturally and technically-oriented people do not is communicate with others using the target’s metaphors. By taking this approach and translating issues into different frames of reference, more time is spent exploring the issue instead of arguing over why it matters.
By focusing first on being understood and second on the specific issues, rapport can be built and, over time, you can get the resources you need to win more battles.
Last week, I got my copy of All Yesterdays. (Not the used Amazon versions, as the pricing algorithm is failing hilariously.) I’ve been a fan of Darren Naish’s work since I discovered Tet Zoo years ago. It turns out that in addition to writing amazing articles on the cladistics of extinct crocodilians, he is also good at writing about paleo art.
You might think that paleo art is art done by prehistoric people, but no. In this case, it is art done to provide imaginative reconstructions of life from fossils. I imagine that most people these days are aware of the belief that many of the two-legged dinosaurs were feathered. However, as it often turns out, things are more complex than that. This book explores the history of dinosaur art and, along the way, draws on what we know about natural history, camouflage and mating habits of contemporary species.
So why am I posting this review on a blog that (more or less) focused on information security?
Well, in addition to this book being about pretty pictures of dinosaurs, it is also about an industry working over time to make guesses about the truth, analyze their mistakes in the face of new evidence and, through a constant stream of screw ups, come closer and closer to consensus. As they’ve done this, the consensus has shifted around severals and everyone has had to constantly adjust to the shifting truth.
In effect, it is a book about evolution… the evolution of species… the evolution of understanding… the evolution of the understanding of evolution, so to speak. This happens in all industries, but the younger the industry is, it seems, the less we like to acknowledge that we don’t have all the answers. In Information Security, we don’t like to be wrong and we particularly don’t like to be wrong in front of other people. This is understandable, as when we make a mistake in Security, people could get hurt. However, when we don’t get a chance to discuss our mistakes as a community, we don’t get a chance to improve.
Today, there is some discussion in the community, but mostly within closed mailing lists and at conferences. Unlike in the realm of paleo art, our mistakes tend not to be public, so there are fewer eyes on them and fewer opportunities to get better. Fortunately, there are a tad more hackers than professionals who draw dinosaurs from scientific principles, so we do get an advantage of numbers. Still, there is ample room for improvement.
This book explores the problems that arise from:
- Taking a superficial view of evidence
- Not comparing logical conclusions to examples of modern data
- Avoiding analysis and basing beliefs on the misguided work of others
- Looking strictly at hard evidence and ignoring behavior
- Hyper-focusing on dramatic scenarios
Syngress was kind enough to provide a free copy of this book for me to review.
Blackhatonomics was an interesting book to read. As one gets older and more skilled in one’s field, the portions of books that are new become smaller and smaller. I had high hopes that this would be a detailed dive into the economics of criminal activity and, in that, I was disappointed. There is little here that was new to me. I didn’t get into the content I wanted until Chapter 8 – “Pawns and Mules” and then stuff got good in Chapter 9 – “Globalization: Emerging Markets Aren’t Just for Traditional Investors Anymore”. Chapter 10 then discusses crime in America and Chapter 11 focuses on the world. Then, alas, we’re at the conclusion.
Really, what I had hoped for was a text written by an economics expert giving people familiar with cybercrime some detail as to how micro- and macro- economics work in that space. What I got was a book aimed at people unfamiliar with both cybercrime and economics. This isn’t bad. It’s a good book for people who are just getting started. It’s just not quite what I was looking for.
I’ve stopped rating books. It’s unfair to the authors to ding them because their book didn’t meet my expectations when the book is marketed by someone else entirely. Really, this book is a good intro for a lot of people. If you have less than two years in the Security industry or have never actually worked a hacking-for-profit case, it’d be good for you. If, however, you have a ton of experience and have worked with law enforcement to help your client, there’s little in here that’s new.
And really, that’s not the authors’ fault. What I want is up-to-date information about criminal economics, but the economic data of current crime is often locked up in court and spread across numerous countries and jurisdictions. Can we guess at trends? Sure. Can we plug data into economic models and demonstrate what’s going on? Not really. We can solve this by creating economics models. I’ve been toying with playing with ideas from Complexity theory and considering running scenarios using cellular automata to model different economic models in worlds where there is a theft component. I was hoping that this book would have done the research so I wouldn’t have to. That was, in retrospect, a rather ridiculous expectation.
So in the end. the question is “do I read it, do I ignore it or do I get it from a library?”
If you are just starting in your career, read it. It has good data and will help get you started.
If you’ve been at this for a while but are not directly involved in law enforcement, get it from a library. Skim chapter 8. Read chapters 9 through 11.
If you’re involved in law enforcement, there is likely little in this book that will help you. You can skip it.
There have been two stories in the media lately and one event on a private mailing list that have me thinking. First, the stories.
1) Former NFL Quarterback, Jon Kitna, has become a high school teacher. He did this as a way to give back to the community. However, the most important part of the story is how he is giving back. This is a story about someone trying to change his community by teaching children that their actions have consequences, even if those consequences result in the entire team losing.
2) A Canadian computer science student by the name of Ahmed Al-Khabaz was expelled from Dawson College for running hacking tools against a system that contained data for numerous students. He found a flaw, reported the flaw, but because he did not have permission to run the test, he was kicked out. He has since been offered opportunities with firms and other schools.
3) On my private mailing list, a friend expressed concern over an issue in which one of his students sent a PDF of a book to the entire computer security class. This book was a copyrighted work by someone else that we both know. This was clearly illegal and, by most standards in the security community, unethical.
So, what do all of these stories have in common? Fundamentally, they’re about young people making mistakes. What might be hard to see, though, is that they’re also about adults making mistakes. We tend, in the Security and Legal communities to see the world in black and white. Dawson College expelled Ahmed Al-Khabaz because, in their view, he was “no longer suited to the profession.” There was discussion about expulsion in the private story as well, because of similar concerns. In other words, we have colleges taking a hard line on students that screw up and are kicking them out.
The problem, though, is that one of the best ways to learn is by making mistakes. Many of the best people we have in IT Security have checkered pasts. Many of the worst people we have in IT Security also have checkered pasts. While my own past is cleaner than most, I did cross the line a few times in school and got a talking to. I quickly learned both what to do and what not to do, but more importantly, how to do.
Actions must have consequences. Without pain, we do not learn. However, if those consequences are too severe, we don’t learn either. We give up.
If we look at these issues as a society, we have people working defense who are trying things and, if they try the wrong thing with the wrong person, they’re kicked out. We also have people working as attackers. These are well-paid individuals (due to the high risks involved) and are often highly skilled because they are not hampered by people trying to get them expelled or fired for experimentation. In fact, the more we take a hard line approach to these sorts of issues, the more likely we are to identify our best learners (the young people who make mistakes) and drive them to unethical and illegal activities, as we close the door to legitimate work in their face.
In a world where the attackers are massively out-competing the defenders, I have to ask whether this is wise.
Instead, consider Jon Kitna’s story. He’s adopted hard line rules for his football players. If they screw up, they’re out … but not completely … just a game or part of a game. They’re not off the team, they’re not kicked out of the community. This still means a mistake is punished, but done so in a way where people learn from it. Those who made the mistake get the most punishment. Those who supported the mistake while it was being made get a lesser punishment, and all of them serve as examples to keep everyone else where they need to be.
As people, we learn and grow over time. Of these three stories, which supports growth? Of these three stories, which people would you rather work with as adults? Who would you hire?
I know, for me, I’d take the under-educated, low-income kids over the college students any time. Why? It’s about community. Lincoln High School is making better adults than Dawson College is. The graduates from Jon Kitna’s football team might not be the best educated kids. They might need a lot of hand holding and training to make it in the real world, but they’ll have character. If I’m working a security problem with someone, I need someone I can trust. That means I need someone who has been raised to be trustworthy. Improvement is iterative and if you’re not given the ability to learn and grow from your mistakes, you’re just going to wind up making the same errors over and over again. As a security person, a professional and, really, just as an adult, I need people who have made mistakes, owned up to them and, where possible, fixed them. I need learners and I need people who can see the shades of grey in the world. I suspect that you do too.
(This post was originally published on RJS Smart Security)