Ben’s mumbling

You can prove anything with facts.

Malory Isn’t the Only Imposter in Infosec

So a tweet by Dr. Jessica Barker about imposter syndrom in infosec got me replying about how I’ve had imposter syndrome a bunch. Perhaps no more and no less than anyone else, we’ll see, but I said I’d write it up as the tweets was not ideal for it. (Sadly, for those following the conversation on twitter, I have had exactly zero wine so this may make sense, but not be as vitriolic as one hoped.)

It’s a long one, nearly 2500 words, and I’m sure it rambles, but this is a 9 hour flight with no wifi.

Comments are foolishly turned on. I look forward to the flames and doxing on IRC. |:

Who’s this clown?

To reference my favourite joke, I’ll give some background on who I am and how I got here. Perhaps more than I should. Humour me.

Back in the 90s, I somehow convinced my parents to eventually get a modem. My father brought this giant hunk of I think Hayes? 2400 baud metal device home. My mind was blown, computers talking to other computers over phone lines? What sorcery is this? From there, I fell in to the BBS scene. By way of fell, I mean, I would drag my Amiga 1200 to my parents room, by the phone socket, plug in my modem, plug my computer in to the amazing portable “boom box” that also had a 4inch black and white television in it, and dial up BBSes. As this was the only way I could get near a phone line. Ideal. Somehow from this, I am now here.

From that, as we all did, I got a faster modem (never a USR Courier, sadly, just a Sportster), and eventually fell in to the FidoNet scene. I cosysoped some other BBSes. In absolutely no way helped with copyright infringement, while running up huge phone bills. Ahem.

At one time, a friend I’d met on my not-so-local BBS said lets meet up. After some convincing of parents (I was a kid), I got on some trains and went to hang out with my friend. (I promise you this gets going). I found he had slightly more risqué interests than me in the world of modems and computers. So he dragged me along to a 2600 in London at the bottom of those elevators, then to webshack or McDonalds as was seemingly the tradition.

This is how I am now apparently a computer security engineer.

Utterly ridiculous.

From there we fall in to an amusing world of opening up BT phone cabinets for phone fun, hanging out with the silliness of people from IRC as they hooked their radio scanner up to their soundcard and decoded pager messages over the air (encryption? what’s encryption?).

I stopped using my Amiga, and moved on to Linux (a 1.x.x kernel was the first thing I used, I am that old), then OpenBSD. Got a girlfriend, called each other names from Hackers and was generally an idiot who’s very glad that bug bounties didn’t exist then, as my god, I would have submitted some embarrassing things.

I am not, as one would say, leet.

I can’t reverse stuff, I’ve not written exploits in C, I don’t think I ever finished Smashing the Stack for fun and profit, I am not some badass 0-day hoarding hacker.

But, having spent too long trying to secure Linux boxes from friends on IRC, and let’s just say, now and then having a shell on some machines that weren’t strictly mine (as in, at all), I was able to get a very low level job at a local ISP doing Unix support. After failing A-levels in pretty much everything including computing due to not handing in course work and wanting to write it in C. I dropped out of education (twice) and got a real job.

blah blah blah, linkedin etc.

Since then I’ve been somewhere between the three points of systems engineer (sysadmin, operations person, whatevs), network engineer (Firewalls, IOS, VPNs, IDS, BGP) and security engineer.

Why are you telling me all of this Ben, I am bored.

In 2011, I was working at Puppet nee Puppet Labs as an operations engineer in infrequently sunny Portland. A friend came to visit from far less sunny London and told me he was reading this book Kingpin and how it was cool and about hacking and stuff. I rushed out and bought a copy as it was very relevant to my past. The main person in it, as it’s non-fiction, used to run the Aracnids Snort rule mailing list. Which from all my IDS work I was well versed with. I had a real connection (ish) to this person. Reading it just blew my mind, it remains one of my favourite books, and prompted me to look around for a security job again. I found Etsy were looking for security people, and some how, they foolishly hired me.

So I started at Etsy in 2013. In my first team meeting, everyone on the team, about half a dozen people, said what they were working on. It was all Javascript this, big project that, something I’d never heard of this.

I WAS TERRIFIED.

I’d never used half of these things, I was completely convinced that if I didn’t learn Javascript within the next two hours I was sure to be fired. (I still do not know Javascript.)

Back then, the Etsy security team, at least in my half (infrastructure security) was the likes of Zane Lackey who has now started one of the most exciting security startups Signal Sciences and Mike Arpaia who later went on to join some startup called Facebook? and create and lead the amazing OSQuery project!

And then there’s me.

I literally spent at least the first year in that role thinking I was going to be discovered and fired for being a fraud. I was not ex-iSec. I had not presented at BlackHat. I did not know anyone in the industry.

It got to the point where I was starting to job hunt because I knew I would be found out that they made a mistake by hiring me. I couldn’t find 0day, I couldn’t write an entire huge revolutionary intrusion detection tool. I’m pretty good with sed but I’m not the best.

This lead to me becoming quite gloomy and down with the world. Living under a self imposed Sword of Damocles takes a lot out of you. Emotionally and mentally.

We hired more people. More recovering consultants from the good ship Intrepidus. I was sure the ruse would be up at any moment.

I have now been at Etsy nearly three and a half years. Either I’m really good at faking it, or I was wrong.

Why is infosec the worst?

I’ve had imposture syndrome before, pretty much every job to some degree, but it’s never been as bad or as long lasting as it has or even is, as it is in infosec. Why is that? Well I think a few reasons.

  • Infosec is very ego based.
  • Infosec has purely attack/defense driven.
  • There is someone actively attacking you, very often for money.
  • Governments are now doing it in new and interesting ways, thus scarier.
  • It’s becoming militarised, “Cyber” is a thing, so guns and death and more ego.

Infosec and ego

No real other part of technology have I experienced where it is so combative. Developers main battle is either against caffeine addiction, Jenkins or the compiler. Operations people it’s the pager and the hard drive gods. Network engineers, it’s well meaning farmers digging fields through their fibre lines.

Info has an attack versus defense culture, baked in to it from it’s very core. Everything from the language (exploit, owning) to the borrowing of far too much military terminology (blue team/red team, capture the flag, kill chain).

Hackathons and first to market aside, no other part of technology pits you so directly against other people and systems. It’s “I couldn’t get my code to compile” not “I got completely owned by so and so”.

And ego comes in to this. In the hiring or rockstar mindgame that is large events like BlackHat or PwnToOwn it pays to come out fighting. It’s a 80 billion dollar industry, the entirety of RSA Con is about how vulnerable and defenseless you are, unless you buy this expensive product from us.

History

Back in the 90s (and probably 80s, see Textfiles) when ‘zines were the coolest thing, they had entire sections doxing people, dropping entire mail spools, IRC logs shit talking each other. It’s like what I’m lead to believe a college locker room is like.

Gobbles, perhaps the finest example. Much loved, especially by me, in the early 2000s, with an amazing arsenal of skills and exploits, stormed through target after target, dropping far too private information about whomever to the full-disclosure mailing list. Later at DefCon 10, there’s this timeless video of gobbles and the Unix Terrorist calling people out for not being leet enough, etc.

Conferences

Speaking of DefCon, which is sadly a bastion of the industry, it’s change from being a bunch of hackers getting together in Vegas (in the off season, so it’s cheaper, and even warmer) to something resembling a professional security conference has added to this. The “all first time speakers have to do a shot on stage” because if you’re not drunk, you’re not a real man (I say this as an occasional borderline functioning alcohol) by the Goons, highlight the maturity of the intended audience.

A lot has been written and said, though not enough, about the mistreatment of women at conferences, especially DefCon. I cannot help but feel some of this must come from the sense of entitlement that having money, the ability to hack in to a bunch of stuff, and zero empathy would create.

As an industry, we should feel ashamed of this more than anything.

Entitlement

Back in 2013, BsidesSF was held at The DNA Lougne, at the end of the last day, there was a roast. A fine American tradition, where everyone gets on stage and insults the person in question. Seemingly ill-spirited in nature, but it’s all consenting and harmless fun. However this roast wasn’t against a person, it was against the infosec industry…

…But it wasn’t, it turned very quickly in to a lot of highly paid men, who work or worked as consultants and pen testers, complaining about report writing, “dumb users”, finding the same old bug again. Literally roasting absolutely everyone and everything bar the actual infosec industry.

This was the first time I walked out of a conference.

Smart assholes

The developer and more slowly, the operations world has been moving from the “10x crush it brah” super engineer with zero empathy and social skills that no one wants to work with, with realising that actually teams of good people are better. The whole DevOps movement and things like that have really pushed that agenda forward and it is only bringing good things.

Security is riddled with incredibly smart assholes. And for some reason, this is taken as fine.

I recall once, being with some members of my team, visiting another company. Two very senior members of said company were debating a topic very strongly and passionately, neither accepting each other’s point. This culminated in one of them saying they knew more, because they were on the board of a conference that specialised in it, the other saying they knew more as they wrote their dissertation on the subject. We all left vowing to never hire that kind of engineer at Etsy, because that would instantly destroy the kind of culture that Zane and Rich have built.

Don’t hire assholes, from Rich Smith’s Kiwicon 8 talk

Why is all this bad?

Is this bad? Well, I clearly think so or I wouldn’t have written so much on it.

The security industry as a whole has a major skills shortage. This only perpetuates the problem, as those capable are able to demand “rockstar” salaries and walk around like they own the place.

Unless we bring more people in to this industry from both an early age, other parts of the industry and retain them, we are not going to become more secure or solve problems. We are going to tread water and still be fixing CGI-BIN problems in 2020.

The tired argument of “users are dumb” and “I’m smarter than them” makes this gap larger. The majority of people who spend so long finding and writing these exploits in such things and saying that whomever wrote them is stupid is large source of irritation to me.

Most hackers could not write a web browser, a web app from scratch, would not attend the committee meetings to get a protocol to happen in the first place. Yet through some hard work and intelligence find a bug, that in some cases pops a shell, and they’re cleverer than the person who made it in the first place? That isn’t how reality works. It’s just sadly how infosec works.

Getting back to impostor syndrome

To wrap up. I think that the attacker/defender dynamic, how “attackers always win”, “defence needs to stop 100%, attack just needs to get in one thing”, and the kind of ridiculous sums of money throw around lead to there being a lot of fear in infosec. Some, I’m sure, will argue that this is where the rush comes in, of being the best. Beating everyone, and I’m sure there is a lot of that. That’s definitely the thrill in seeing your exploit work and that uid=0(root) gid=0(wheel) groups=0(wheel) appearing in your shell. But, I argue, if we want to actually as defenders, as an industry, hell as people paid to do a job, want to make things better, we need to check our egos a lot more, stop waving our cocks about, and work together like we’re the insanely highly paid man-children (and a handful of woman-children) that we are.

Or maybe I’m just bitter because I’m not very good.

Comments