Saturday, October 01, 2016

"Why do you work in security instead of something more lasting ?"

This post grew out of a friend on Facebook asking (I paraphrase) "why do you spend your time on security instead of using your brainpower for something more lasting ?". I tried to answer, and ended up writing a very long reply. Another friend then encouraged me to re-post my reply to a wider audience. The below is a slightly edited and expanded version. It is much less polished than my usual blog posts, more personal, and somewhat stream-of-conscious-y. Apologies for that.

Why do I work in security instead of on something more lasting?

Predictions about what is "lasting" are very difficult to make :-). I think outside of the exploit-of-the-day, there's lasting work to be done in understanding of exploitation (because machines and automata aren't going away, and neither are programming mistakes), and I sincerely hope I'll have opportunity to do that work.

I tried my hand in cryptography / academia, and found it more prone to political trends/fads and less blindly results-oriented than security - to my great disappointment. When all attacks are of theoretical complexity 2^96, verifying and replicating results becomes difficult, and objective truth suffers (see below).

In the following, I will state a few things that I really like about the computer security community. I did not realize this immediately - instead, I learnt this over many years and engagement in other communities.
  1. Original thinkers. I used to joke that there are less than 2 dozen reasons why security as a field doesn't suck, and I know many of them personally. Now, the 2 dozen is bullshit, but what is true that in all the noise & hype, I have met a number of very fun, unconventional, and deeply insightful thinkers of very different backgrounds. They are few and far between, but I wouldn't have met them without security, and I am grateful for having met them. Many exploits require considerable inventiveness, and non-obvious / creative ways of solving problems; they are sometimes like a good joke / magic trick: With an unexpected twist that makes you laugh in disbelief.
  2. Tolerance of non-conformism and diverse educational backgrounds. There are few other industries where people who did not finish high school mix with people with postgraduate degrees, and debate on even terms. With all it's problems and biases, the part of the community I grew up with did not care about gender, skin color, or parental income - everybody was green writing on a black screen.
  3. Intellectual honesty. When discussing attacks, there is "objective truth" - you can establish whether an attack works or does not work, and checking reproducibility is easy. This is not true in many other disciplines, and "truth" becomes a matter of social consensus - even in pure math, where proof should be absolute. Having objective truth is extremely helpful to prevent a discipline to devolve into scholasticism.
Many other fields which may be more "lasting" do not have the luxury of these three points. Also be aware that my visibility into the security community is very skewed:

My skewed view of the security community

It is common to hear negative things about the community - that it is elitist, full of posturing, or of people that are mean / demeaning to others with less experience. This is not the community I experience - and this discrepancy has been puzzling me for a while.

For one thing, everybody is always nice to me. I am not sure why this is the case, but the only non-niceties I encountered in this industry were in leaked email spools. This makes it difficult for me to notice people being mean to newcomers and elitist - and it saddens me to hear that people are being shit to each other.

People weren't always nice to me - like any group of teenagers, 1990's IRC was very often not a friendly place, and #cracking would kickban you for asking a question. I found a home of sorts in a channel called #cracking4newbies - a very welcoming environment dedicated to joint learning. It was great for me: I could ask questions, and either got answers or links to documentation. A few members of #cracking were no longer active, and held status in the channel for historical reasons, #cracking4newbies on the other hand was full of eager & active youngsters.

I somehow managed to avoid being around the posturing and status games much, and in some bizarre stroke of luck, have managed to do so up to this day. The people in the security community I spend time with are genuinely interested in the technical challenges, genuinely curious, and usually do not care about the posturing part. The posturing may happen at industry conferences, but I tend to not notice - the technically interesting talks tend to adhere to substance-over-style, and the rest is as relevant to me as big advertisements for broken content inspection appliances.

All I want to say with this section is: I do not know how I managed to avoid experiencing the bad sides of the security community much. Some of it was luck, some of it was instinct. There are plenty of things I find annoying about the security community (but that is for another post :-), but in my day-to-day life, I don't experience much of it. If you are in security, and feel that the community is elitist or demeaning to people learning, I hope you succeed in seeking out the (many) people I encountered that were happy to share, explain, and just jointly nerd out on something. Feel free to reach out any time.

On building vs. breaking

I quite often hear the phrase "I quit security and I am much happier building instead of breaking things". This is a normal sentiment - but for me, security was never about "just" breaking things. Tooling was always inadeqate, workflows horribly labour-intensive, and problems were always tackled on the lowest level of abstraction, missing the forest for the trees.

In my reverse engineering classes, I always encourage people to be tool builders. Most of security work today is akin to digging trenches with chopsticks. Invest in designing and building shovels. Perhaps we will even get a bulldozer in my lifetime. Slowly but surely, the industry is changing in that direction: Microsoft is commercializing SAGE, no code auditor is more productive (even though more in-depth) than a farm of computers running AFL - but the discrepancy between the quality and quantity of tools that developers have available vs. the tools that security review has available is still vast.

I like my work most when I can cycle through building / breaking phases: Try to break something, notice how insanely badly the tooling is, cycle through an iteration of tool development, return to the breaking etc.

I realize this isn't the path for everybody, but I don't think that security is "always just about breaking". The most persistent person gets bored of chopstick-trench-digging. Invest in tooling. Being a better developer makes you a better hacker. And perhaps you like building more than breaking, and I can't fault you for that.

My friend Sören happens to be one of the best C++ developers I know. When we first met in undergraduate math class, I described what I do for a living to him (reading code for subtle mistakes), and he said "that sounds like one of the worst imaginable jobs ever". He is a builder, and I have nothing but admiration and respect for him - and from the builder's perspective, his assessment is right.

I still like finding subtle bugs. To paraphrase another person who I respect a lot: "People still search for new stuff in Shakespeare hundreds of years later".

Using security as an excuse for broad learning

I once read that "cryptography gathers many very different areas of mathematics like a focal lens". The same is very true of security and computer science. Security happens at the boundaries between layers, and I have used working in security as an excuse to learn about as many layers as possible: Low-level assembly, high-level stuff on formal verification, and even electrical engineering problems and their implications on security.
People talk about "full stack engineers" a lot; security allows me to roam the full stack of abstractions in computer science without guilt. All layers are relevant for security, all layers are interesting in their own right, and each layer has it's own funny quirks.

Summary

Given the length of this blog post, it is evident that I have asked myself the question "why do I do this" many times. And I have thought about devoting attention to other things often enough. Who knows, I am 35, so I have about 30 years of professional activity ahead of me - which may be enough to fail in one or two other fields before returning to give grandfather-security keynotes. :-)

But right now, I am actually enjoying having my hands dirty and thinking about heap layout for the first time in years.