What Hackers Learn that the Rest of Us Don't
I read a great article in the July/August 2007 IEEE Security and Privacy magazine titled "What Hackers Learn that the Rest of Us Don't" by Sergey Bratus. He contrasts developers and academic programs with what "hackers" do. For example:
I really resonated with this statement:
In a typical academic setting... an ever-increasing number of topics limits the time the students and teachers can allocate for any specific one.
My comment: in contrast, attackers obsess over minute, specific aspects of a target, which ultimately allows them to beat defenders.
Let's contrast developers with "hackers."
Let's contrast these hacker characteristics with this "Hot Jobs" column I found in CIO Magaine:
Hot Jobs: Windows Administrator
Job Description: A network administrator who is primarily concerned with software and whose responsibilities include security, implementing network policy, managing user access and network troubleshooting, as well as designing, installing, configuring, administering, and fine-tuning Windows operating systems and components across an organization. Some career experts say the evolution of IT’s business role makes this job a possible career path to CIO. (emphasis added)
Stopped laughing yet? It gets better:
Desired Skills: Knowledge of Windows Server 2003, Microsoft Exchange, domain and configuration controllers, global catalogs, LDAP (Lightweight Directory Access Protocol) and Active Directory. Minimum education is two-year degree in computer science; general business degree with software training also valuable.
This is an entry level position that requires a two year CS degree... or a business degree? This is mentioned elsewhere:
This is a job where an employer can bring in people with a basic degree in computer science or a degree in business with a computer background and grow their own to a greater extent than some other areas. (emphasis added)
I realize this is CIO Magaine, advocate of the multitalented specialist, but please.
In one corner, hacker. In the other, person with "degree in business with a computer background." Who is going to win here? If I'm going to hire a Windows administrator, I don't care if he/she has a degree, let alone a business degree. I want a person who can administrator Windows.
This "business focus" is getting way out of hand. CIO, absolutely. CISO, yes. Directors, to some degree. Front-line administrators? Forget it. I want technical domain knowledge. Why do I not see financial people being told to get CS degrees with a financial background? After all, they use computers?
- Developers are under pressue to follow standard solutions, or the path of least resistance to "just making it work."
- Developers tend to be implicity trained away from exploring underlying APIs because the extra time investment rarely pays off.
- Developers often receive a limited view of the API, with few or hardly any details about its implementation.
- Developers are de facto trained to ignore or avoid infrequent border cases and might not understand their effects.
- Developers might receive explicit directions to ignore specific problems as being in other developers' domains.
- Developers often lack tools for examining the full state of the system, let alone changing it outside of the limited API.
I really resonated with this statement:
In a typical academic setting... an ever-increasing number of topics limits the time the students and teachers can allocate for any specific one.
My comment: in contrast, attackers obsess over minute, specific aspects of a target, which ultimately allows them to beat defenders.
Let's contrast developers with "hackers."
- Hackers tend to treat special and border cases of standards as essential and invest significant time in reading the appropriate documentation.
- Hackers insist on understanding the underlying API's implementation and exploring it to confirm the documentation's claims.
- Hackers second-guess the implementer's logic.
- Hackers reflect on and explore the effects of deviating from standard tutorials.
- Hackers insist on tools that let them examine the full state of the system across interface layers and modify this state, bypassing the standard development API. If such tools no not exist, developing them becomes a top priority... Interest in the internal workings of various programming language mechanisms is characteristic of the hacker approach.
Let's contrast these hacker characteristics with this "Hot Jobs" column I found in CIO Magaine:
Hot Jobs: Windows Administrator
Job Description: A network administrator who is primarily concerned with software and whose responsibilities include security, implementing network policy, managing user access and network troubleshooting, as well as designing, installing, configuring, administering, and fine-tuning Windows operating systems and components across an organization. Some career experts say the evolution of IT’s business role makes this job a possible career path to CIO. (emphasis added)
Stopped laughing yet? It gets better:
Desired Skills: Knowledge of Windows Server 2003, Microsoft Exchange, domain and configuration controllers, global catalogs, LDAP (Lightweight Directory Access Protocol) and Active Directory. Minimum education is two-year degree in computer science; general business degree with software training also valuable.
This is an entry level position that requires a two year CS degree... or a business degree? This is mentioned elsewhere:
This is a job where an employer can bring in people with a basic degree in computer science or a degree in business with a computer background and grow their own to a greater extent than some other areas. (emphasis added)
I realize this is CIO Magaine, advocate of the multitalented specialist, but please.
In one corner, hacker. In the other, person with "degree in business with a computer background." Who is going to win here? If I'm going to hire a Windows administrator, I don't care if he/she has a degree, let alone a business degree. I want a person who can administrator Windows.
This "business focus" is getting way out of hand. CIO, absolutely. CISO, yes. Directors, to some degree. Front-line administrators? Forget it. I want technical domain knowledge. Why do I not see financial people being told to get CS degrees with a financial background? After all, they use computers?
Comments
Re: academic settings...in some cases, it isn't so much an "ever-increasing number of topics", per se, as it is the availability of instructors, or the expertise of whomever sets up the program. I've seen degree programs that, early on, focused on databases, due to the fact that the professors who set up the program were all database guys.
In some ways, the actions of the "hacker" harken back to 1969 MIT, rather than the mis-use of the term today.
I started off as a techie but I'm finding that the skills I often ignored in the past have become more important. Marketing, leadership, management, report writing, speaking, etc.
You can't know everything about everything. I can't know every detail about IOS at a hacker level AND everything about Windows security at a hacker level. I need to rely on my technical teams for that.
My job is to make sure that they are aware of the issues and to push home ideas like strong passwords which is something common to all systems including windows and ios.
Can I please add Unix and application security to that list?
You can. You just have to study harder and read more.
To be honest, I've always found that I've been lacking in business skills - but what that really means is "paper degrees" and "paper certs". But some of that stuff is worthwhile, especially for some people. Don't disregard an MBA program as a potential place to learn security skills. Depending on who you are and who you're with - you could learn a whole hell of a lot.
Finding talented people is easy. Getting talented people to stay talented and work with you takes management and leadership skills. Getting talented people to learn your environment takes time and requires heavy investments in instructional capital.
The best people are the ones who immediately start contributing to others, creating their own forms of social and instructional capital. You can't learn how to do this sort of stuff from a computer security book or in an MBA classroom. What you want is a team of experienced leaders - and that only comes by surrounding yourself with self-actualized people and motivating them correctly.
It is also something we as a group still have to come to terms with, and that is the "geek" level of hackers versus professional business people or developers. In my recent jobs, I would guess that 1 out of 4 developers are what I would consider geeky enough to really learn the things pointed out in that article. With your generalized hacker, they are natural geeks who are curious about pushing technology.
It's obvious to me what this all shakes out as.
I've never yet bought into how IT people need and are going to mesh with business and gain those skills. I believe there will be a layer of hybrids who live in both worlds, but IT and especially security simply cannot survive by watering our talents and skills down like that. It just can't happen.
His coursework (to be completed) consists of 3 networking, 4 system administration and 2 security classes taught over 3 semesters. The school promises they can help him land a "security" job after graduation with a local company.
God help us all.
This security analyst to be will be lucky to have even a basic understanding of the subject matter let alone the context in which real threats occur.
I'm sure this program is in the minority of formal security education but it's still really sad. 9 months and 9 technical courses does not prepare you to troubleshoot a Windows PC let alone grapple complex security problems.
Long story short, you have dedicated hackers who love to hack versus tradeschoolers looking for the big bucks and only want to put in the 9-5. Who do you think is going to win? I think Matt hit the nail right on the head.