Another recommendation is Zen and the Art of Motorcycle Maintenance, a fictional autobiography from the 1970s about value systems and technology. Ironically, the author was writing computer manuals as his day job while he wrote this book at night about how to define the quality of journeys that are dependent on machines.
What is your favorite hacker movie?
One favorite is Until the End of the World. It’s a pretty clever/artful attempt to predict the social future of technology, including security, which is strangely accurate. I’ve watched Blade Runner far too many times, and I’d still place Until the End of the World ahead of it on most lists. The 414s: The Original Teenage Hackers documentary, about being a curious kid in 1983, is a favorite since it tipped the scales and turned all the 1970s anti-hacking bills into the big Computer Fraud and Abuse Act (CFAA). On that note, 23 (also known in Germany as Nichts ist so wie es scheint) is a favorite because of what it ironically gets wrong about the 1989 death of infamous hacker Karl Koch. I also have to mention my mother’s movie, The Quorum, even though it’s not strictly about computers. However, it does allude to the hacker mentality—with funny anecdotes to the police raids in 1964 where 73 people were arrested for things like playing guitar out of tune. The Vula Connection is also a favorite because the story is so intense and inspiring. It’s about an anti-apartheid group in 1985 that used encryption to penetrate the “fortified borders” of South Africa. Can I have more than one favorite?
What are your favorite books for motivation, personal development, or enjoyment?
I read whenever I get the chance, especially poetry, which is why I founded Poetry.org in 1995. Decoding the meaning of poems in many languages is something I try to practice often for personal development. One of the weirdest feelings is spending hours translating a poem into a different language and then realizing you hate it once you get the intended meaning decoded. I look at it like an ancient version of unpacking malware. As for books, I have a lot of favorites. Fire in the Night: Wingate of Burma, Ethiopia, and Zion is one of them. Nathaniel’s Nutmeg is another. It’s highly motivating to learn how people overcame adversity through technology in the past and to explore the tragic mistakes they made along the way—ones that we should avoid even to this day.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Think ahead of the curve. People are trying to figure out how to patch IoT like a Zenith TV repair expert trying to learn desoldering. Today, society has shifted away from repairing technology products to simply replacing them with new ones. That mentality is going to significantly affect the safety and security decisions in IoT, as people succumb to economic decisions that innovate around product rotation and disposal practices instead of repairs. It kind of makes sense when you think back to the economic reasoning that created patching in the first place. (In 1968, IBM realized software patches were less costly than hardware fixes.) So, your cybersecurity strategy in IoT will probably look increasingly like quick and inexpensive rotations to avoid even the slightest complicated/skilled fix.
Social media is looking similar to me the more it evolves down two paths. Either engineers are building tools that allow new concepts in privacy (e.g., rapid iteration and transitive contexts) or companies like Facebook are literally trying to push society back into the Dark Ages (operating as police-state tyrants, forcing constant identification/tracking on their users, and pushing propaganda in the most self-serving ways).
Future social models we need to gravitate toward allow people to control their multiple online identities in ways where they never lose control of their own data. The European Union is doing great work to that end with its General Data Protection Regulation (GDPR), which promotes privacy as a human right—floating the concept of “right to erasure”—and basically telling the Facebook executive team to get a clue about ethics. For now, the best practical advice is to delete Facebook from all your devices and convince others to do the same. Stay in touch with others using less “sticky” tools that let you easily rotate in and out. For example, contacts can be easily imported and exported with the Signal chat application. I know it sounds counterintuitive to some, so hopefully the IoT example helps illustrate why a quick replacement of a platform is as desirable as easily replacing devices.
What is a life hack that you’d like to share?
It always amazes me to think that the seminal study of wolves in the 1960s, which spoke of Alpha and Beta types, was updated and corrected by its author to clarify that Alpha means parent and Beta means child: “The female predominates primarily in such activities as pup care and defense and the male primarily during foraging and food-provisioning.”15
More generally, Alpha represents a caregiver. When people throw around that they’re an Alpha, they never seem to be familiar with the correction to the study and so are not referring to a desire to be a parent who feeds and defends Betas—let alone values and cares for others. My life hack has been to see those who are most likely to care for the people around them as the Alphas and those who care only for themselves as Betas. Not that the world has to be neatly divided into caregivers (leaders) and care receivers (followers), but this method has increased my productivity by refocusing my attention on empathy and compassion as natural leadership traits, even within the most competitive, dangerous, and wild environments.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Back in the 1990s, I was doing global penetration tests on large organizations of every type. At some point, a very large manufacturer hired me to find flaws that would impact their bottom line. Fiddling with ping packets, I was trying to be sure I had enumerated every possible ingress point they could have. I wasn’t going to give up easily, despite repeatedly facing setbacks with all the time zones powering down systems on local schedules—foiling my attempts to scan the world and get a comprehensive map within a deadline. Then, one early morning, I heard word that warehouses were down across Asia.
More to the point, I was hauled into an operations group meeting and asked to explain how my tests were going. Apparently, my pings had overflowed the JetDirect kernel used by HP printers, which meant “pick slips” in the warehouses went silent. I was thrilled! Nothing could be shipped. Also, I was devastated. Holy moly, I’d just crashed delivery of stuff I could only imagine had a cascading effect…scary. Fortunately, because they powered everything down and back up again daily, printing started again the next day. My persistence had found these isolated devices as well as a vulnerability that impacted the company’s bottom line. They were super unhappy with the vulnerability until I framed the test in terms of professional early-warning, and we set about improving what we would today call IoT devices.
In those days, we couldn’t lean on regulations to force good hygiene, so it took a bit of social engineering. Despite causing an outage, and perhaps because of the way we quickly explained and recovered from it, they hired me soon after to break their AS/400, which, unfortunately, I did almost immediately. ■
Notes
14. Adobe, “2018 Adobe Cybersecurity Survey,” Slideshare.net, January 12, 2018, accessed May 2018, https://www.slideshare.net/adobe/2018-adobe-cybersecurity-survey.
15. L. David Mech, “Alpha Status, Dominance, and Division of Labor in Wolf Packs,” Canadian Journal of Zoology no. 77: 1196-1203, Jamestown, ND: Northern Prairie Wildlife Research Center Online, http://www.npwrc.usgs.gov/resource/2000/alstat/alstat.htm. (Version 16 May 2000).
49
Brandon Perry
“As an industry, we know how to build secure infrastructure, applications, and processes. What is hard is changing our behaviors and habits that are decidedly insecure.”
Twitter: @BrandonPrry • Website: www.volatileminds.net
Brandon Perry is an engineer and consultant focusing on helping organizations secure their applications and network infrastructure. In his free time, he enjoys writi
ng Metasploit modules and playing guitar.
If there is one myth that you could debunk in cybersecurity, what would it be?
The myth that security is hard. Maintaining secure networks, building secure applications, and running secure organizations aren’t hard things. Securely encrypting and decrypting data is easy. People do these things every day. As an industry, we know how to build secure infrastructure, applications, and processes. What is hard is changing our behaviors and habits that are decidedly insecure. Security isn’t hard. It’s people that are hard, and they aren’t going anywhere anytime soon.
“Security isn’t hard. It’s people that are hard, and they aren’t going anywhere anytime soon.”
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Start making implementation and process decisions assuming there is a breach instead of assuming there isn’t one. Installing patches shouldn’t be determined by whether an asset is “internal” or not, as if the internal network is any more secure than the external perimeter of the network.
How is it that cybersecurity spending is increasing but breaches are still happening?
It’s easy to spend money on the wrong things in information security. And even if you buy the right things, it’s easy to misconfigure them. Testing to make sure those complex security products are configured correctly is expensive and hard to do objectively. Not many organizations do it, so they never know the product was misconfigured to begin with.
However, correlation isn’t causation. It could easily be that the organizations that aren’t getting breached are vastly outspending the organizations that are. I think you’ll see a difference in how upper management perceives security spending at these two different types of organizations as well. The organizations that aren’t getting breached invest in their security, while the organizations that are getting breached minimize the cost.
Do you need a college degree or certification to be a cybersecurity professional?
I think the obvious answer is no to both degree and certificate. The non-obvious answer is that all of the work that goes into getting accredited is still absolutely required, if not more so. And expect to constantly feel like you’re missing something that your more “lettered” colleagues aren’t. It’s not imposter syndrome; it’s just realizing you don’t have the same base of knowledge as those who went to school or are more classically trained.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
After high school, around 2007, I started as a regular web application developer for C#/ASP.NET. I’ve subsequently stuck out like a sore thumb in InfoSec for being a proponent of C# and Mono/Xamarin for building tools, and C# has only recently (as of 2018) become an interesting language for red teams/offensive security researchers (you can’t beat luck). After a few jobs writing C# apps, I ended up trying to go to college, but failed spectacularly. Unfortunately, I had become enthralled with computer security and how exploits worked. In my free time, I began writing Metasploit modules. This work got my foot in the door at Rapid7, and my C# experience played well with the Java-heavy stuff at R7. I guess that technically was the start of my career in InfoSec.
I don’t like to give advice, but someone told me something once when I was about 20 that really stuck with me: “Work hard for the next 10 years so you can party for 40 after that instead of partying for the next 10 years and working hard for 40 catching up.” You’ll never have as much free time or energy to pursue hobbies or gain experience as you do when you’re younger and just starting out.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
Application security, with a particular focus on web applications. Many people who do what I do started out hacking in the beginning, and many aren’t very strong coders—let alone understand how to architect complex applications. I was fortunate enough to begin writing code on a daily basis for eight hours a day, five days a week, while learning how applications were built and architected straight out of high school. This gave me a huge leg up in learning how exploits worked because I knew how to read code and was fluent in it. It also has given me insight into how layers within applications work with (or against) each other, which leads to a certain intuition about where vulnerabilities may lie or where a weakness can be abused.
Serious application development experience can give you a much better grasp on where to look for—and how to exploit—novel and unique vulnerabilities.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
I try not to give advice. I’ve been fortunate to get my foot in the door at companies early on in my career through personal relationships. That allowed me to gain real skills in the workplace before many of my friends. I didn’t go to college; I just started working after high school. I’ve not sought titles or positions; I’ve only pursued jobs I felt I would feel fulfilled in. My jobs have always been technical; I’ve never managed people, so climbing the corporate ladder and starting a company are out of my wheelhouse. In the end, it’s as much (if not more) who you know as it is what you know.
“I’ve been fortunate to get my foot in the door at companies early on in my career through personal relationships.”
What qualities do you believe all highly successful cybersecurity professionals share?
I think that depends on what your definition of successful is. Risk management skills, I think, are a universal need across InfoSec. Some people may think you need to constantly publish work to be considered successful. We aren’t in academia, and there’s already a lot of poor and misleading security content out there anyway. Practical attacks from 15 years ago still work consistently today. Maybe successful means your organization is more secure today than it was yesterday. By that standard, you’ve never heard of the most highly successful security professionals out there. I don’t want to assume qualities, but I’m sure they are hardworking and underappreciated.
“Risk management skills, I think, are a universal need across InfoSec.”
What is the best book or movie that can be used to illustrate cybersecurity challenges?
I’m going to include a TV show here: Star Trek: The Original Series. In Kirk’s own words: “Risk is a starship’s business. It’s what we do.” The Enterprise as a whole is an organization that has to operate securely, maintain security, and, in some instances, enact security on short notice. Kirk relies on luck a bit more than I like, but, considering the odds, I think his threat model allows it. It’s good to be good, but it’s better to be lucky.
What is your favorite hacker movie?
Caddyshack. Tons of hacking. It’s the first instance of the Gopher protocol (years ahead of its time). The film also makes an excellent example of false positives and their potential effects (using a pool and a chocolate bar).
What are your favorite books for motivation, personal development, or enjoyment?
Free to Choose by Milton Friedman
Basic Economics by Thomas Sowell
The Meditations (particularly Book 2) by Marcus Aurelius
I read a lot of American and world history pre-1950. Did you know people had security problems before computers?
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Again, I try not to give advice, but I do want people to realize this more: you are not the only person who has access to your phone and the data on it, even if you are the only person currently accessing your phone. This doesn’t mean you shouldn’t use your phone and that you should live in a cave. Many of us rely on our phones to a large degree, and there are certainly security enhancements our phones make to our lives (multifactor authentication is one example). However, all of the cheap, insecure phones
that we don’t want in rich Western countries will end up in the countries with a lot less money, with governments that would love to have remote access to their population’s phones. These phones are often the only computer a family (or multiple families) has and can be the only access to news or communication outside of their immediate community. As the richer countries are able to buy more secure phones or mobile devices, the cheaper, more insecure phones will end up with those who need the security the most.
“Again, I try not to give advice, but I do want people to realize this more: you are not the only person who has access to your phone and the data on it, even if you are the only person currently accessing your phone.”
What is a life hack that you’d like to share?
Don’t start sentences until you know how they are going to end.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I feel like “mistake” implies I regret something and wish things had turned out differently. I’m not sure I’ve had events in my life that I wish had turned out differently or I wish hadn’t happened at all (at least professionally, and mostly personally). I think it’s important to realize every situation has something you can take from it and learn. Even if learning is painful, I’m not sure it’s ever regrettable or a mistake. As engineers, the term bug is just a euphemism for “mistake.” Of course, every bug is a learning opportunity for someone, and I doubt I’d find many disagreeing with that. ■
Tribe of Hackers Page 30