Bruce Schneier goes "Inside the Twisted Mind of the Security Professional"
Uncle Milton Industries has been selling ant farms to children since 1956. Some years ago, I remember opening one up with a friend. There were no actual ants included in the box. Instead, there was a card that you filled in with your address, and the company would mail you some ants. My friend expressed surprise that you could get ants sent to you in the mail.LinkI replied: “What’s really interesting is that these people will send a tube of live ants to anyone you tell them to.”
Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities. They can’t vote without trying to figure out how to vote twice. They just can’t help it.
SmartWater is a liquid with a unique identifier linked to a particular owner. “The idea is for me to paint this stuff on my valuables as proof of ownership,” I wrote when I first learned about the idea. “I think a better idea would be for me to paint it on your valuables, and then call the police.”
Really, we can’t help it.
This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don’t have to exploit the vulnerabilities you find, but if you don’t see the world that way, you’ll never notice most security problems.
the latest
latest episodes
Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.
Not really true. Good engineering involves thinking about both.
In any case this is just another way of referring to the mindset of a hacker, whose instincts and motivation are to determine how things work and by extension how they might be exploited.
--K
My Flying Spaghetti Monster! I never thought about it that way before, that is how I see the world around me! As long as I can remember I look for tricks, hacks, venerabilities in everything (drives my wife crazy). Always thinking of ways to beat other's securities and systems, almost a game to me. Good thing I am a nice guy and not Darth Cheney!
Speaking of "thinking how things can be made to fail", I just got the lovely "Text entered was wrong. Try again." message AGAIN. That's something like ten times this week. I guess Boing Boing ARE security professionals after all?
The original version of my message read:
Speaking of "thinking how things can be made to fail", clicking on various internal links on that SmartWater page produces lovely "Server Error in '/' Application. The resource cannot be found" errors. I guess they ARE security professionals after all?
Seriously, folks: please fix it. Please?
@ Kmoser: Yes, "engineering vs security (or hacker) mindset" is probably too simply put. Engineering failure analysis probably produces the same kind of mindset.
After several years of assessing hazardous waste sites I've developed a sense of how the variably lazy or greedy people who spill or mishandle hazardous materials tend to operate, where the systems in place tend to fail, and what the signs are of a likely problem. I can really appreciate his mindset.
so has anyone written the "people are lazy, dishonest, stupid" algorithm so we can predict this stuff?...oh wait....
I wonder how many security people develop the mindset because they have Post Traumatic Stress Disorder. Hypervigilance is one of the biggest symptoms. I know that after the Loma Prieta earthquake, I never walk into a large building without looking for something to stand under and an escape route.
It's interesting, but I wonder about the personal consequences of developing such a mindset. I was a martial arts practitioner & instructor for many years, and found that developing a good self-defense mindset involved seeing potential attackers everywhere, and this led to assessing the physical vulnerabilities of everyone around me, especially when walking down the street. I was looking at the world through fight-colored glasses.
Could finding security/exploitation holes everywhere in the world around us develop a similar paranoia?
gee Antinous, then you'll be happy to hear the latest forecast for the Big One is 99% in the next thirty years. That's "today" in geological time.
http://www.redorbit.com/news/science/1340957/bizarre_earthquakes_off_oregon_coast/
I'm also reminded of something a character said in Lois McMaster Bujold's novel "Cetaganda":
"He works in intelligence, not counter-intelligence. His motivation is curiosity, not paranoia."
Any cute catchphrases or Zen epigrams simply fail.
For a simple and very scary fact.As systems grow more complicated the potential exploit points grow.As such- the miracle of our Internet age WAS how few percent of us USED TO have no security concerns.
The Net has become a fact of mundane life. And as in the material world, certain types of criminal stupidity will be exploited. Thus the race between Security and Criminals enters new battlegrounds each day. Frankly- I do not see a "Technical" stand alone win here. For either side. And That's a sobering fact.
Not to pile on with the engineer/security false dichotomy, but it was friends in engineering-type fields who introduced me to the idea of a "single point of failure," which I believe is something system designers of all kinds worry about.
@8
if you keep it up long enough, it goes away.
Good engineering education is very failure-focussed. I once had a course with a title something like "Power Generation and Use" which was really "1001 Ways to Fuck Up a Steam Plant." This is typical.
Software "engineering" is rarely worthy of the name, and is so far as I know still a legally prohibited term in some jurisdictions. One way to tell if a person is an engineer writing software or just someone who knows a bit about programming is to ask them if they're familiar with Stephen Flowers' Software Failure, which is still probably the best book in the field.
The difference between the security mindset and the engineering mindset is more about what kinds of failure we are concerned with. Security experts seem more concerned with human process failures, as in the examples Schneier gives, rather than failures of the physical system, which are more what keep engineers up at night.
The engineering attitude can be a useful one to have. After living in LA for a while in the early '90's I managed to miss both the Rodney King riots and the Northridge earthquake because I evaluated the city as a collection of failures waiting to happen, and wanted to avoid that feeling of being really, really dumb you get that comes from dying in an entirely predictable event.
@7 -- I agree. After 9/11 I was constantly looking for avenues to terrorize. You go into prevent mode by worrying about what you need to prevent. Although I was more of a cowardly terrorists, wanting to be alive and on the loose after committing the dastardly deed.
My dad was a mechanical engineer, and things not working or breaking were always valuable to him because he could explore what went right, even when it was going wrong. He used to say that many engineers threw away good ideas just because of poor execution. This was his form of trash-diving for ideas ...
we've always had criminals, we've always had things for them to exploit, steal, wage war on, etc.
the problem is, NOW, they can not just screw up their little corner of the world, they can devastate the whole world, and for a timespan of FOREVER with their malevolent mindset.
a determined baddie can wreck so much havoc with the interconntected-ness of the world and the availability of bigger&better weapons ...
To my everlasting shame, I do this at peoples' design reviews: "Haha, THAT looks easy to vandalize!"
I guess this makes me an urban design security expert??
Simply put:
Set a thief to catch a thief.
It's not like we all didn't expect to learn that TSA screeners are terrorists.
Good engineering education is very failure-focussed.
Medical residencies work the same way. Make every possible fuck-up while there's still somebody around to (hopefully) fix it.
Dear Tom:
a long quote but a good one:
‘CIA’s flawed software caused 1982-Siberia gas explosion’
WASHINGTON: The CIA exploited the Soviet Union’s desire to pilfer
western technology to send it flawed software that resulted in a huge
explosion on a natural gas pipeline in Siberia in 1982, The Washington
Post said on Friday.
Nobody was killed in the blast, but it did significant damage to the
Soviet economy, said the daily quoting the memoirs of Thomas Reed, a
former Air Force secretary who served in the National Security Council.
Approved by then US president Ronald Reagan, the plan was part of
‘cold-eyed economic warfare’ against the Soviet Union that the Central
Intelligence Agency conducted under Director William Casey, said Reed,
whose book, ‘At the Abyss: An Insider’s History of the Cold War,’ will
be published next month.
Reed said the Soviets in 1970 had created a special KGB section to plumb
Western research and development for badly needed technology. The secret
programme was later disclosed by a Soviet engineer to French
intelligence, who in turn alerted the Reagan administration in 1981.
Shocked by the knowledge the Soviets were stealing abundant Western
technology and aware the United States at the time was trying to block
Western Europe from importing Soviet natural gas, the CIA came up with
the idea of slipping the Soviets technology that would work for a while,
then fail.
"In order to disrupt the Soviet gas supply, its hard currency earnings
from the West, and the internal Russian economy, the pipeline software
that was to run the pumps, turbines, and valves was programmed to go
haywire, after a decent interval, to reset pump speeds and valve
settings to produce pressures far beyond those acceptable to pipeline
joints and welds," Reed writes.
The resulting explosion in the summer of 1982, said Reed, was observed
from space by US satellites and caused concern for the US military who
feared it was a missile liftoff. A CIA agent quickly told the military
what had happened.
"While there were no physical casualties from the pipeline explosion,
there was significant damage to the Soviet economy," Reed writes adding,
"Its ultimate bankruptcy, not a bloody battle or nuclear exchange, is
what brought the Cold War to an end."
is what brought the Cold War to an end.
If by end, you mean temporary halt.
I had this particular mindset at work when they "enhanced" security in all our buildings. They spent millions. Now I have to scan my ID badge to get into the front door, to go through a turnstile into the lobby and to leave the lobby and enter the building proper (all 3 card readers are within 30 feet of each other. I also have to scan my badge to enter the 3rd floor area where I work. The thing is, no one actually checks to see if it's MY badge I'm putting through the card reader. So they've spent a fortune to make sure that only authorized ID badges are in the building while ignoring who is actually carrying them.
yah, I know a port worker at a place where they have spent millions on "security" and all the electrical power for the entire facility still runs through a ramshackle, unguarded shack.
Home security systems can be disabled by simply cutting the phone line. It doesn't alert the security company. Unless you pay extra for some sort of wireless back-up, your security system can be bypassed by a third grader with a pair of blunt scissors.
but,but surely your responsible neighbours will alert the gendarmes?
You mean the twelve other people who actually stay here for the whole summer? My last house, there were three full-time residents on the block out of eight houses.
I'm pretty sure I've had this 'security mindset' since I was sixteen or so, only I used it toward a very different end. I see now I need more ambition.