Tuesday, August 21, 2007

What Hackers Learn that the Rest of Us Don't

I read a great article in the July/August 2007 IEEE Security and Privacy magazine titled "What Hackers Learn that the Rest of Us Don't" by Sergey Bratus. He contrasts developers and academic programs with what "hackers" do. For example:

  • Developers are under pressue to follow standard solutions, or the path of least resistance to "just making it work."

  • Developers tend to be implicity trained away from exploring underlying APIs because the extra time investment rarely pays off.

  • Developers often receive a limited view of the API, with few or hardly any details about its implementation.

  • Developers are de facto trained to ignore or avoid infrequent border cases and might not understand their effects.

  • Developers might receive explicit directions to ignore specific problems as being in other developers' domains.

  • Developers often lack tools for examining the full state of the system, let alone changing it outside of the limited API.


I really resonated with this statement:

In a typical academic setting... an ever-increasing number of topics limits the time the students and teachers can allocate for any specific one.

My comment: in contrast, attackers obsess over minute, specific aspects of a target, which ultimately allows them to beat defenders.

Let's contrast developers with "hackers."

  • Hackers tend to treat special and border cases of standards as essential and invest significant time in reading the appropriate documentation.

  • Hackers insist on understanding the underlying API's implementation and exploring it to confirm the documentation's claims.

  • Hackers second-guess the implementer's logic.

  • Hackers reflect on and explore the effects of deviating from standard tutorials.

  • Hackers insist on tools that let them examine the full state of the system across interface layers and modify this state, bypassing the standard development API. If such tools no not exist, developing them becomes a top priority... Interest in the internal workings of various programming language mechanisms is characteristic of the hacker approach.


Let's contrast these hacker characteristics with this "Hot Jobs" column I found in CIO Magaine:

Hot Jobs: Windows Administrator

Job Description: A network administrator who is primarily concerned with software and whose responsibilities include security, implementing network policy, managing user access and network troubleshooting, as well as designing, installing, configuring, administering, and fine-tuning Windows operating systems and components across an organization. Some career experts say the evolution of IT’s business role makes this job a possible career path to CIO.
(emphasis added)

Stopped laughing yet? It gets better:

Desired Skills: Knowledge of Windows Server 2003, Microsoft Exchange, domain and configuration controllers, global catalogs, LDAP (Lightweight Directory Access Protocol) and Active Directory. Minimum education is two-year degree in computer science; general business degree with software training also valuable.

This is an entry level position that requires a two year CS degree... or a business degree? This is mentioned elsewhere:

This is a job where an employer can bring in people with a basic degree in computer science or a degree in business with a computer background and grow their own to a greater extent than some other areas. (emphasis added)

I realize this is CIO Magaine, advocate of the multitalented specialist, but please.

In one corner, hacker. In the other, person with "degree in business with a computer background." Who is going to win here? If I'm going to hire a Windows administrator, I don't care if he/she has a degree, let alone a business degree. I want a person who can administrator Windows.

This "business focus" is getting way out of hand. CIO, absolutely. CISO, yes. Directors, to some degree. Front-line administrators? Forget it. I want technical domain knowledge. Why do I not see financial people being told to get CS degrees with a financial background? After all, they use computers?

11 comments:

Keydet89 said...

Very interesting stuff...mostly due to the obvious element of truth that is so often staring us in the face, yet we fail to see it. I would say that the points about developers apply equally to sysadmins and system engineers who develop and maintain architectures. I've had FTE positions supporting SMBs, as well as providing network security support to telecomm ops...which received their infrastructure after engineering threw it over the "Chinese wall".

Re: academic settings...in some cases, it isn't so much an "ever-increasing number of topics", per se, as it is the availability of instructors, or the expertise of whomever sets up the program. I've seen degree programs that, early on, focused on databases, due to the fact that the professors who set up the program were all database guys.

In some ways, the actions of the "hacker" harken back to 1969 MIT, rather than the mis-use of the term today.

shrdlu said...

Wow. Very insightful, Richard, thanks. And I absolutely agree about the futility of expecting a Windows administrator to spring fully formed from the forehead of Zeus, PLUS a business degree that will cause them never to apply for a job like this in the first place.

Allen Baranov, CISSP said...

I think we have come to the conclusion that no matter how clever your InfoSec team is they can't know everything.

I started off as a techie but I'm finding that the skills I often ignored in the past have become more important. Marketing, leadership, management, report writing, speaking, etc.

You can't know everything about everything. I can't know every detail about IOS at a hacker level AND everything about Windows security at a hacker level. I need to rely on my technical teams for that.

My job is to make sure that they are aware of the issues and to push home ideas like strong passwords which is something common to all systems including windows and ios.

dre said...

You can't know everything about everything. I can't know every detail about IOS at a hacker level AND everything about Windows security at a hacker level

Can I please add Unix and application security to that list?

You can. You just have to study harder and read more.

To be honest, I've always found that I've been lacking in business skills - but what that really means is "paper degrees" and "paper certs". But some of that stuff is worthwhile, especially for some people. Don't disregard an MBA program as a potential place to learn security skills. Depending on who you are and who you're with - you could learn a whole hell of a lot.

Finding talented people is easy. Getting talented people to stay talented and work with you takes management and leadership skills. Getting talented people to learn your environment takes time and requires heavy investments in instructional capital.

The best people are the ones who immediately start contributing to others, creating their own forms of social and instructional capital. You can't learn how to do this sort of stuff from a computer security book or in an MBA classroom. What you want is a team of experienced leaders - and that only comes by surrounding yourself with self-actualized people and motivating them correctly.

LonerVamp said...

Excellent post, and quite timely. I am in a point in my career where I regularly read job ads and have gotten quite used to them. I agree with what you pointed out; "entry level" positions have tacked on requirements that are too often absurd for entry level people. I know managers too often are one level abstracted from the daily needs of their people, and HR is another abstraction layer away, but come on... No wonder some of them keep getting posted on the boards I read. :)


It is also something we as a group still have to come to terms with, and that is the "geek" level of hackers versus professional business people or developers. In my recent jobs, I would guess that 1 out of 4 developers are what I would consider geeky enough to really learn the things pointed out in that article. With your generalized hacker, they are natural geeks who are curious about pushing technology.

It's obvious to me what this all shakes out as.

I've never yet bought into how IT people need and are going to mesh with business and gain those skills. I believe there will be a layer of hybrids who live in both worlds, but IT and especially security simply cannot survive by watering our talents and skills down like that. It just can't happen.

LonerVamp said...

I will clarify that I don't think it is useless for us to have that, but I don't think it is as huge a push as people think it is...

Matt Richard said...

Last night I was sitting in the play area of the mall watching my 2 kids when the guy sitting next to me starts to tell me how he was going to school for "network security". His interests were in moving away from his current carpenter position and getting into the "six figure" security jobs he always reads about.

His coursework (to be completed) consists of 3 networking, 4 system administration and 2 security classes taught over 3 semesters. The school promises they can help him land a "security" job after graduation with a local company.

God help us all.

This security analyst to be will be lucky to have even a basic understanding of the subject matter let alone the context in which real threats occur.

I'm sure this program is in the minority of formal security education but it's still really sad. 9 months and 9 technical courses does not prepare you to troubleshoot a Windows PC let alone grapple complex security problems.

John Ward said...

Responded to this: http://digiassn.blogspot.com/2007/08/it-field-following-money.html

Long story short, you have dedicated hackers who love to hack versus tradeschoolers looking for the big bucks and only want to put in the 9-5. Who do you think is going to win? I think Matt hit the nail right on the head.

admin said...
This comment has been removed by a blog administrator.
Kathy R. said...
This comment has been removed by a blog administrator.
niz said...
This comment has been removed by a blog administrator.