Apathy in the Security Community
I've been traveling a lot lately. I've seen a lot of interesting things, done some interesting things, and talked with some interesting people, some boring people, and some legitimate crazies. I have a lot of material to discuss, and a lot to ponder.
I mentioned in a previous blog post that Black Hat and Defcon left me with some insights into the world of security, and they were largely confirmed in the past weeks. Here are a few random thoughts and reactions:
The hacker community is getting stale. Sure, the attendee numbers at conferences are still growing, but in most cases, the hacker mentality just isn't there. Before I get flamed, yes, I know that it was always a small core of people, and those people are still there. In addition, I'm actually all for having the noobs show up at Defcon, just to get a taste of what we're all about. But... I keep thinking that when I go to these events, the excited-to-be-here and stoked-to-do-things vibe isn't nearly as strong as it was just a few years ago. Geeks aren't particularly social people- I can deal with that, but I'm seeing a lot of people who are just there to be there. I guess that happens in every community- I've seen the same thing happen various other communities over the years, but I really don't like the idea of it happening to the hacker scene.
That said, there are always some bright spots. At Toorcon, I happened to be watching as two attendees rigged the candycorn-counting-contest. One asked the staff at the registration desk to stand up and face him for a photograph, and the other walked by and swapped out the jar of candycorns while their backs were turned. Most places, this kind of cheating would be unacceptable behavior, but at a hacker convention... I'm disappointed when I don't see it.
Short version... I dunno... I just want to see the attendees get more involved in those things. It's more fun that way anyways. You don't have to be a 1337 haxx0r who hasn't showered all week to make exciting things happen.
On the other side of a fast-growing split between the security community and the hacker community, we're seeing the same problem. I was in DC for CSI this week. I spoke on a 3-hour web security panel with Rafal Los, Joshua Abraham, Jennifer Jabbusch, and Sharon Besser. The people on the panel were smart, lively, and passionate about what they did. We had a great discussion. The people in the audience though... they didn't really care what was going on. I get the impression that half of them were just there for CPE credits, and the other half were government employees looking for a paid vacation. The fact that these people are tasked with securing data in both the government and corporate worlds scares the crap out of me.
There were a few people there who were willing to ask questions and actively participate in the discussion, but they were the exceptions. I don't understand how a person can work in security and not be extremely passionate about his job. We do very cool work here and we work with very interesting people. Having spent time in a lot of other industries, I can honestly say that I've never worked with a better group of people. What's more, if you aren't passionate about it, there is no way you can keep up. The security world changes daily, and while we joke about our addictions to our smartphones, email, and twitter, if you take a few days off, you really will get left behind. It takes serious commitment just to keep up, but it's totally worth it.
If you're one of those people who just doesn't care, get out of this industry. There's got to be a better use for your time. If you do want to stick around, find a project to work on, something to get involved in, or at least start a blog with random thoughts. Even if you're wrong, ridiculed, and flamed, it's helpful to you, the community, and everybody else.
Maybe I'm an idealist, but I just want to see other people get as excited as I am.
I mentioned in a previous blog post that Black Hat and Defcon left me with some insights into the world of security, and they were largely confirmed in the past weeks. Here are a few random thoughts and reactions:
The hacker community is getting stale. Sure, the attendee numbers at conferences are still growing, but in most cases, the hacker mentality just isn't there. Before I get flamed, yes, I know that it was always a small core of people, and those people are still there. In addition, I'm actually all for having the noobs show up at Defcon, just to get a taste of what we're all about. But... I keep thinking that when I go to these events, the excited-to-be-here and stoked-to-do-things vibe isn't nearly as strong as it was just a few years ago. Geeks aren't particularly social people- I can deal with that, but I'm seeing a lot of people who are just there to be there. I guess that happens in every community- I've seen the same thing happen various other communities over the years, but I really don't like the idea of it happening to the hacker scene.
That said, there are always some bright spots. At Toorcon, I happened to be watching as two attendees rigged the candycorn-counting-contest. One asked the staff at the registration desk to stand up and face him for a photograph, and the other walked by and swapped out the jar of candycorns while their backs were turned. Most places, this kind of cheating would be unacceptable behavior, but at a hacker convention... I'm disappointed when I don't see it.
Short version... I dunno... I just want to see the attendees get more involved in those things. It's more fun that way anyways. You don't have to be a 1337 haxx0r who hasn't showered all week to make exciting things happen.
On the other side of a fast-growing split between the security community and the hacker community, we're seeing the same problem. I was in DC for CSI this week. I spoke on a 3-hour web security panel with Rafal Los, Joshua Abraham, Jennifer Jabbusch, and Sharon Besser. The people on the panel were smart, lively, and passionate about what they did. We had a great discussion. The people in the audience though... they didn't really care what was going on. I get the impression that half of them were just there for CPE credits, and the other half were government employees looking for a paid vacation. The fact that these people are tasked with securing data in both the government and corporate worlds scares the crap out of me.
There were a few people there who were willing to ask questions and actively participate in the discussion, but they were the exceptions. I don't understand how a person can work in security and not be extremely passionate about his job. We do very cool work here and we work with very interesting people. Having spent time in a lot of other industries, I can honestly say that I've never worked with a better group of people. What's more, if you aren't passionate about it, there is no way you can keep up. The security world changes daily, and while we joke about our addictions to our smartphones, email, and twitter, if you take a few days off, you really will get left behind. It takes serious commitment just to keep up, but it's totally worth it.
If you're one of those people who just doesn't care, get out of this industry. There's got to be a better use for your time. If you do want to stick around, find a project to work on, something to get involved in, or at least start a blog with random thoughts. Even if you're wrong, ridiculed, and flamed, it's helpful to you, the community, and everybody else.
Maybe I'm an idealist, but I just want to see other people get as excited as I am.
Labels: Conventions, rants
posted by mckt at
11:29 AM
4 Comments:
This is sort of related, but OK not really... one thing that has always bothered me as a sysadmin who also has to deal with security issues regularily (running an ISP and internal viruses, physical security, etc) in a production environment is when you hear security pros lamenting how "lazy" or "stupid" someone is for not patching some system, installing the latest version, etc.
I think the problem here is simple, when you work 24/7/265 on security issues, the other side of things, i.e. actually producing things to sell for money and pay the bills, is often forgotten.
For example, although "impossible" by some security pro standards, patches actually do break things. And sometimes, irreversibly. I have seen this too many times with my own eyes to think otherwise. Bang, one of your critical production systems is out of business until you fix it or get someone to fix it. Maybe its a proprietary system running an OS you have never seen before, maybe you are contractually forbidden to do anything with the machine, or maybe you only have 15 minutes to fix it before the company quite literally loses ten, twenty thousand dollars. After this happens to you once or twice, you're going to think twice before patching, and if YOU don't your employer, or maybe now former employer, is going to think twice.
Maybe your company dosen't have an extra 60-100k to pay someone to test patches on a test network composed of thousands of dollars of equipment.
I actually had some people on a DNS-based spam block list tell me to switch my corporate internet over from ATT because basically they don't like ATT. Well I don't either, but if you think for a second the owner of my company is going to say "oh sure, i dont mind spending a few grand and several nights of downtime, overtime, etc, just to get off ATT because some random guy on the internet told you its bad", you're living in another dimension than myself.
I guess this is a rant. and it's not at all directed at the nice and helpful writer of this site, but just at many people in the security field.
By
lezneb, At
October 30, 2009 12:56 PM
That really is a different set of issues, but it's a discussion I've had more than a few times recently.
All of the changes you discussed above are technical problems, but when money is required to solve them, they become business problems. It is completely within management's right to say "hey, hold off on patching that system for now," and you will never (or at least should never) convince management that security is more important than making money.
That's not a bad thing. Leaving a system unpatched won't immediately destroy a company. Management's job is... well, to manage. It's their call whether you get the budget, the time, or the personnel to do security right. If they're failing at it, step out of that company- if you're good at your job, you can find work anywhere, even in a crappy economy.
The important thing, of course, is that when management decides security issues aren't important enough to fix, they take responsibility when those security issues cause problems. That's why they get paid the big bucks.
When a security guy is screaming at your company and saying you suck at security, they may be right. It may not matter. Still, by publicizing weaknesses, they may leverage PR, customer loyalty, employee morale, or even the company's bottom line to change the dynamics of management's decisions, and make it more of a priority.
Security people may think security is top priority (and for us, it really is), but we have ego problems. The best security people are the ones that can give the necessary information to management, allowing them to make the decisions with an awareness of the important issues, and then implement those decisions.
Bringing it all back to my original post, security people who are well informed themselves, care about their jobs, and even have big enough egos to think the company will fail without them, are going to be much better equipped to provide the necessary information to management. It may be skewed towards the paranoid, but again... that's an issue to be recognized and taken into account by the people on top.
By
mckt, At
October 30, 2009 1:15 PM
lezneb, when you make the move from one provider to another there is a period of time when both providers are active. There is very little down time and it does not have to be done on weekends. That is the trouble with system admins, you need to leave networking and security to the professionals and stop trying to do everything on your own.
By
Anonymous, At
November 23, 2009 11:50 AM
An interesting and related comment from Bruce Schneier and Cormac Herley at Microsoft Research.
http://www.schneier.com/blog/archives/2009/11/users_rationall.html
Abstract: It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certicates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.
By
hapbt, At
November 24, 2009 12:06 PM
Post a Comment
Subscribe to Post Comments [Atom]
<< Home