Tribe of Hackers
Page 11
I like every Bruce Schneier book that I’ve read so far. I recommend Secrets and Lies: Digital Security in a Networked World for starters.
What is your favorite hacker movie?
I wear black lipstick, and I have a face full of piercings. So, the expectation is that I’ll say either The Girl with the Dragon Tattoo or the Millennium series to conform to people’s expectations—or anything but, to rebel against said expectations. I choose the former. I’ve read all of the books so far, including the two that have come out after Stieg Larsson’s death. I prefer the Swedish movies. Yeah, it’s not all technically accurate, though. It’s no Mr. Robot. But Mr. Robot doesn’t have a forced tattooing scene!
What are your favorite books for motivation, personal development, or enjoyment?
I’m awfully skeptical of most self-help books, anything that Oprah would endorse, and stuff like the UpliftingNews subreddit. I think everyone should read Karl Marx, William S. Burroughs, and Marilyn vos Savant with an open mind. People should drop acid and watch old George Carlin routines. I’m also very fond of anime and manga, and my taste in that stuff makes me a terrible weeaboo, you know? As far as anything that people think is new-agey woo is concerned, I do genuinely believe in western astrology, which would put me in contention with many in STEM culture.
I also think meditation and mindfulness are good; just don’t get your advice in those areas from Lululemon or someone Oprah would endorse.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Sure, the data in data storage will physically deteriorate eventually, but you should still have the mind-set of “the internet is forever.” I was born the same year as Mark Zuckerberg, and social media and smartphones didn’t take off until I was in my mid-20s. I was lucky to become an adult when I did. But now we have probably a couple of billion people worldwide who grew up with all of that. Their impulsive Snapchat posts will come back to haunt them. Snapchat told you that it’s private and it will disappear when your session is over. They’re lying. Assume that nothing is private and everything is permanent. As far as IoT is concerned, it’s promising for both consumers and industries. But think twice before you decide that your kitchen stove needs an internet connection—21st century Teddy Ruxpin could spy on your young children. Anything IoT becomes subject to tremendous internet vulnerabilities that connect the device to everything else that’s online.
What is a life hack that you’d like to share?
If you’re like me and you wear lots of makeup, buy setting spray and matte lipstick. The right use of those products keeps me looking freshly tacky all day.
Each day, tell the people you love the most what you like about them. It will help your personal life immensely.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Oh, I’ve made so many mistakes! It’s tough to only choose one! Many of my mistakes have been made by speaking impulsively or by reacting based on my hurt feelings. Try to teach yourself to pause for a few seconds to consider the possible implications of it. As I’ve gotten older, it has gotten easier, but I still screw up from time to time. Recovery can be done with genuine apologies, forgiving yourself for the mistake, and moving on while trying again. ■
17
Emily Crose
“Know your stuff inside and out. There’s a serious dearth of expertise in the basics—and in knowing the simple, easy-to-answer questions about simple topics like the OSI model—which is the bare minimum for both getting started and expanding your career.”
Twitter: @hexadecim8 • Website: www.hexadecim8.com
Emily Crose is a network security professional and researcher whose career spans nine years. She has worked in both offensive and defensive security roles, including time spent with both the NSA and the CIA. Currently, she works for IronNet Cybersecurity. When she’s not caring for her wife and children, she directs the NEMESIS project and finds threats to the openness and safety of the internet for fun in addition to profit.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Cybersecurity doesn’t have to be a cash-for-play business. Developing a threat model for your organization and planning out what you’ll do if realistic scenarios play out is a cheap and easy way to prepare for issues that could appear later. Maybe you don’t know all there is to know about cybersecurity threats. The good news is that learning the basics of cyber defense has never been achievable at a lower cost-to-entry!
How is it that cybersecurity spending is increasing but breaches are still happening?
They say, “Money don’t buy happiness.” It turns out money don’t buy a lot of things, good security practices included. An organization is only as safe as its friendliest individual. When technology fails, humans will always pick up the slack, even when it comes to helping a dangerous individual gain access to their own organization. That doesn’t mean that humans are responsible for all security failings.
The nature of innovation necessitates new technology, and with new technology comes new threats. Even old thoughts and concepts being applied in new ways against ever-evolving technology can be threatening in the hands of someone clever enough to exploit it. What you get out of this concoction of human error and ever-changing technology in a world where data is constantly moving is a complex world full of motivations and capabilities trying not to crash into each other. We shouldn’t be surprised that collisions occur even with an abundance of stoplights.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
Take the time to learn the basics, and learn them well. You’ll always return to them, and with a solid grasp of the basics, you will stand out in interviews later in your career. One of the primary complaints I hear from hiring managers is that they can’t find anyone who has a solid foundation in networking. Don’t be the candidate who can’t expand on the seven layers of OSI.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
The thing I’m probably best at is hunt methodology. The most valuable advice I have for people trying to improve their skill in this area is to seek tools that will help them pivot information, both internally sourced and externally sourced. Building internal tools like a working and effective passive DNS system will pay huge dividends in the long run once you’re able to get them up and running. Open source intelligence (OSINT) skills help greatly in this part of the field, and new tools are always emerging.
What is your advice when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Know your stuff inside and out. There’s a serious dearth of expertise in the basics—and in knowing the simple, easy-to-answer questions about simple topics like the OSI model—which is the bare minimum for both getting started and expanding your career.
What qualities do you believe all highly successful cybersecurity professionals share?
Resourcefulness. Using whatever you have at your disposal to get access to a restricted area, fixing a problem on the fly, or getting an answer to something against all odds are all necessary skills to have in InfoSec. Most people acquire that last one by living through IT support.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Groundhog Day.
What is your favorite hacker movie?
If it counts, I’d say Ghost in the Shell. I think it counts.
What are your favorite books for motivation, personal development, or enjoyment?
Black Hat Python is a fun book if you want to learn how to build tools for red-hatting whenever you need them. I’d also recommend Practical Malware Analysis. But if you need a truly inspiring book, If I Was Your Girl will change your life.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
In a pinch, a microwave makes an excellent Faraday cage for small, personal electronic devices. Bonus points for turning the microwave on while your phone is in there.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Taking a management job. Avoid this at all costs. ■
18
Daniel Crowley
“Free static code analysis tools can be used to find bugs in software, whether it’s developed in house or open source. It won’t find every bug, but it can help tell you quickly what kinds of risks you’re taking on by using that software.”
Twitter: @Dan_Crowley
Daniel Crowley is the head of research and a penetration tester for X-Force Red. He denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. He is the primary author of both the Magical Code Injection Rainbow, a configurable vulnerability testbed, and FeatherDuster, an automated cryptanalysis tool. Daniel enjoys climbing large rocks and was TIME Magazine’s 2006 Person of the Year. He has been working in the information security industry since 2004 and is a frequent speaker at conferences, including Black Hat, DEF CON, ShmooCon, and SOURCE. Daniel does his own charcuterie and brews his own beer. His work has been included in books and college courses. He also holds the noble title of baron in the micronation of Sealand.
If there is one myth that you could debunk in cybersecurity, what would it be?
That we truly are a meritocracy as The Mentor claimed. When he wrote his famous Hacker’s Manifesto, it was a time when everyone was just a screen name. You couldn’t judge someone by their race, nationality, sex, and so on, because you simply didn’t know those things. While things are improving, we’re still not the magical utopia we’re supposed to be, but some people assume we are just because The Mentor said it was so.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Free static code analysis tools can be used to find bugs in software, whether it’s developed in house or open source. It won’t find every bug, but it can help tell you quickly what kinds of risks you’re taking on by using that software. You can also set up your development pipeline to allow code to be pushed only when no bugs are discovered.
How is it that cybersecurity spending is increasing but breaches are still happening?
We are building on a shaky foundation. Computers and the internet were built without the idea that they would one day be attacked. We still have a long way to go. It sometimes horrifies me to think about just how insecure things are in general. Even if we were to fix all the technological problems tomorrow, you can still just ask people for their passwords and a certain percentage will actually give them to you.
Do you need a college degree or certification to be a cybersecurity professional?
I know a number of very skilled professionals who do not have any degree or certification. One former colleague of mine had a degree in digital art. So, no.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
My start was a bit odd. I was doing freelance work while in university for way less than it was worth. I was finding bugs and reporting them to get my work in the public record. I ran a computer security education group at my university (unofficially, they were scared about the liability associated with a bunch of students learning to hack). I got to do a cooperative semester. I went to interview with Core Security in Boston for an internship because I knew I wanted to work in computer security. I sat down with a folder of prepared documents showing all my forays into computer security across from a guy named Mike Yaffe. He nodded and smiled as I talked about each one, and said, “Seems like you know a lot about computer security!” to which I responded with a big smile. Then he asked what I knew about marketing, and I realized with slow dread that I had been interviewing for a marketing internship. I explained the mix-up, and Mike offered to let me take the position so long as I was willing to do some marketing work, noting that in the meantime I could do computer security research. I agreed, and soon enough I had scripted away all my marketing work and spent nearly all my time doing security research. They hired me after I graduated, and the rest is history.
My advice to beginners is to get familiar with whatever technology you want to learn to hack. Most of hacking is about understanding how the system works better than the person who put it together.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I specialize in web applications and physical security. Web applications potentially involve a lot of different technologies, so there’s a lot of things to learn, but I would first recommend familiarizing yourself with HTTP, HTML, JavaScript, and a server-side language of your choice. No matter what application you’re looking at, they all use those things, more or less. Build yourself a basic web application and learn to use Burp Suite, or some other intercepting proxy, and see what it looks like when you post a form or click a link. Once you understand how web applications are built, you can start to understand how they’re subverted and why data from the client side can never be trusted.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
For getting hired, do some pro bono public work. Find and release bugs. Write tutorials. Do conference talks. Develop and release free tools. Play capture the flags. You can point to those on your résumé, and it goes a long way when you’re getting your first job.
What qualities do you believe all highly successful cybersecurity professionals share?
An eagerness to learn new things. You’ll always have to learn about the system you’re hacking before you can find most of the interesting vulnerabilities. As a security professional, you’re always having to learn. If you stop, you’ll become irrelevant in a few years because technology changes so fast.
What is your favorite hacker movie?
For good hacker movies, I’d say WarGames. It didn’t focus a lot on the hacking, but it didn’t need to; it was just a vehicle for the story. For bad hacker movies, I’d say Blackhat. They claimed they were making the most accurate hacking movie ever, and then you had Chris Hemsworth phishing the NSA, beating up six guys single-handedly in a bar fight, and going into a nuclear power plant in meltdown to retrieve a hard drive. It’s glorious cheese.
What are your favorite books for motivation, personal development, or enjoyment?
The Web Application Hacker’s Handbook and The Tangled Web are both excellent.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Use a password manager. Using weak passwords and reusing passwords are big risks to your personal security. If I really wanted to hack someone, I’d find every dinky website they ever signed up for and every exposed IoT device they have and hack whichever ones I could. Then I’d try every password on all the other accounts—not that I would do that, since I’m too pretty for prison.
What is a life hack that you’d like to share?
However long the package of food tells you to microwave it, microwave it for twice as long at 50 percent power. Your food will be more evenly cooked and less rubbery.
What is the biggest mistake you’ve ever made, and how did you recover from it?
A long time ago, I put several copies of a rather lewd and disgusting picture that was an early running joke on the internet around a local shop, emulating the rather common practice at the time of getting people to view it accidentally by clicking a link you sent them. I got caught and had a terrifying experience where I almost became a felon over what I saw as a silly prank. Some begging forgiveness to a magistrate, a fee
, hours of community service, and two years of keeping out of trouble later, the whole thing was dismissed. I feel lucky that I was given that opportunity to move on with my life, and I realize that if things had been a little different, I may not have gotten that chance. ■
19
Winnona DeSombre
“In fact, the industry greatly benefits from hiring people of differing backgrounds, precisely because crafting solutions to difficult and nuanced problems in this space requires differing opinions.”
Twitter: @__winn • Website: www.linkedin.com/in/winnonadesombre
Winnona DeSombre is an Asia-Pacific threat intelligence researcher at Recorded Future, focusing on Chinese underground hacking communities and East Asian cyber-espionage campaigns. Previously, she updated legacy systems in government software at MITRE and MIT Lincoln Laboratory and conducted policy research at the Harvard Belfer Center. In recent years, Winnona spoke at the Forbes Under 30 Summit and TEDxTufts, won the Harvard Belfer Center’s D3P Information Operations Technical and Policy Hackathon, and was a semi-finalist in the Atlantic Council’s Cyber 9/12 competition.
If there is one myth that you could debunk in cybersecurity, what would it be?
The myth that individuals who work in cybersecurity are all one type of person. Cybersecurity is a wide field with many different types of jobs and consists of individuals from various backgrounds. In fact, the industry greatly benefits from hiring people of differing backgrounds, precisely because crafting solutions to difficult and nuanced problems in this space requires differing opinions. However, because so many people believe they need to fit a certain type of mold to succeed in this industry, many don’t even consider it as a possible career option. As a biracial woman who only started coding in college, I want to encourage as many people as possible to consider the field, even if they don’t “fit the mold.”