This post is #6 in a series 10 Crazy Ideas That Might Just Change the State of the Security Industry.
I am always amazed when I go to security conferences at the amount of people playing Capture the Flag. The young, the old, the cool, the “not so cool”, individuals, teams ……there are always people engaged, gathered around and enjoying hacking.
When I ran the Foundstone services business I always recall a masterful sales guy once telling me “few CSO’s I have ever met actually want to be secure, they just want to be more secure than their competitors or peers”. While not a fan of the sales profession in general you have to hand it to them for figuring out what drives peoples decision and actions.
Imagine if hacking was a competitive sport where regional or national teams were competing for bragging rights. Instead of small one off capture the flags, imagine a league system with ranking, friendly matches and title bouts. Imagine Team America vs. Team China on prime time! Imagine the changes in funding behavior that could happen. I suspect the US government spends more on funding sport or even the arts than on funding security education despite the obvious risk to critical national infrastructure.
Imagine the behavior change competitive hacking as a sport might drive…..
For a while I have been interested in tracking simple things that seem to be repeatable patterns in life. One that keeps cropping up all over the place is this. If you do something you enjoy you will generally be successful at it , happy while you are doing it and reap great rewards as a consequence. If you focus on rewards and focus on doing things that you believe will result in those rewards, you will generally be miserable and fail.
Here is a quote from Joe Vigil in Born to Run – "There are two goddesses in your heard. The Goddess of Wisdom and the Goddess of Wealth. Everyone thinks they need to get wealth first, and wisdom will come. So they concern themselves with chasing money. But they have it backwards. You have to give your heart to the Goddess of Wisdom, giver her all your love and attention, and the Goddess of Wealth will become jealous, and follow you."
Here is a quote from Guy Kawasaki in the Art of the Start – “Evangelism starts with the desire to make meaning.” When you focus on the money, you focus on the wrong thing. You have to first make meaning. You need to mean something to the world and to your customers. “The root of great companies is make meaning vs. make money.”
A good frame for evaluating your life……
This post is #5 in a series 10 Crazy Ideas That Might Just Change the State of the Security Industry.
There has been a great deal written about the way that the Internet is creating a level playing field for services and I thoroughly recommend “The World is Flat” by Thomas Friedman for a great read on the topic. At the same time anyone who has worked in global teams also appreciates that in reality it is less a case that the world is flat but rather a case that it is becoming smoother. Geographic boundaries may indeed be less significant but cultural barriers still take time to break down and effort to work through (especially in software development) but whether you are a flat world or smooth world proponent, I doubt anyone will disagree that new opportunities exist to distribute work across the world in new ways. I wrote about this in Beautiful Security.
For a while I have been intrigued that pockets of security professionals seemed to exist in areas around the world. The UK is one such place probably driven by a deep heritage of spies and spying (think James Bond). New Zealand is another, South Africa seems to be emerging and the Eastern block has long been accepted as where the majority of virus writers are based. You can look at vulnerability data, virus and malware data and the distribution of security consultants to explore this thesis. The reason for this maybe a complex mix of culture, social interaction and education, frankly it’s hard to tell without doing the research but they certainly exist.
Where there is a heritage of engineering and science; places where engineering and science are still valued as prized professional skills and where security services can be delivered (any country on the Internet with English as a second language) has an opportunity to create a security hot spot. If we then mix in with that criteria the economic advantages of lower labor costs, we can see that there is a huge opportunity for a developing nation to become a security center of excellence and deliver high value specialized services globally. I would love to see a developing nation rise to the surface of global computer security in the same way the Kenyan runners did in the 90’s.
Note: I plan to talk to the Gates Foundation about this idea.
This post is #4 in a series 10 Crazy Ideas That Might Just Change the State of the Security Industry.
This one is dead simple. Get them while they are young. At Foundstone we used to hire the smartest computer scientists out of Carnie Mellon. After a while they started to understand software security and I used to get them to audit their final year projects. Guess what? Yep, all full of horrific security issues. If security is an afterthought in education it will be an after thought in implementation. We need to teach kids computer security. It turns out my mate Chris Hoff has been working on this one with Hackid!
Mainstream development is way ahead of the security industry on this one. The image below is from Hackety Hack (a development environment designed for kids by Why the Lucky Stiff). I really think OWASP should develop a set of lessons for Hackety Hack!
This post is #3 in a series 10 Crazy Ideas That Might Just Change the State of the Security Industry.
I like wine. As anyone else that also likes wine knows there is a great deal of snobbery around wine (especially in the States). This predominantly stems from an industry that is underpinned by subjective opinions by so called experts. Sounds familiar to the security industry? Frankly I don’t care about the price of a bottle of wine (I usually spend $12-$15 and rarely more than $20) but wine is BIG business and pricing is a big part of that business. In the 1980s wine critics dominated the market with predictions based on their own reputations, palate, and frankly very little more. Orley Ashenfelter, in contrast, studied the Bordeaux region of France and developed a statistic model about the quality of wine. His model was based on the average rainfall in the winter before the growing season (the rain that makes the grapes plump) and the average sunshine during the growing season (the rays that makes the grapes ripe), resulting in simple formula:
quality = 12.145 + (0.00117 * winter rainfall)
+ (0.0614 * average growing season temperature)
(0.00386 * harvest rainfall)
Of course he was chastised and lampooned by the stuffy wine critics who dominated the industry, but after several years of producing valuable results, his methods are now widely accepted as providing valuable valuation criteria for wine. In fact, as it turned out, the same techniques were used by the French in the late 19th century during a wine census. In fact Ashenfelters model has a significant advantage over previous ways in that it can predict the quality of wine when the grape is picked and not 18 months after that milestone when it can first be tasted! It’s clear that from understanding the factors that affect an outcome we can build economic models and I believe that the same principles— applying sound economic models based on science—can be applied to many information security areas.
In order for these models to work we will need a large open body of statistical data on which we can base models and run analysis. Other more innovative industries such as financial trading are already embracing this. FreeRisk for example are building a giant data-warehouse with open API’s to push in and pull out data on which professional and hobbyist traders can build analytical models.
I believe community driven statistical modeling could change the security industry for the better.
Note: I believe Alex Hutton will be talking at BlackHat about just such a project!
This post is #2 in a series 10 Crazy Ideas That Might Just Change the State of the Security Industry.
We have all heard the story of Chicken Little associated with the “Sky is falling” fable. If we look at how the human brain works we know that a large part of its function is around self-deception. This dates back to when we were cavemen and we needed to convince ourselves that we weren’t going to starve. As we have evolved we have consistently trained our brains to make assumptions and react accordingly, usually deceiving ourselves of reality. When a hunter was in the bush the difference between life and death when he heard rustling in the hedgerows was usually the difference between the time it took him to process and react to the noise. If he stopped to analytically determine if it was indeed a lion waiting to pounce or a field mouse looking for a bug he probably ended up dead. The brain has re-wired itself to pattern match for survival.
To prove that point I used a few optical illusions. The first was an image representing pencils. I cover up the top and bottom of the image and ask the audience the same question, how many pencils are there?
building up the unveil…
I further re-enforce the point with the next image that has created some real Internet myth over the last year. It’s clear when you first flash up this image what most men think it is!
And to finally drill the point home I showed this great video where girls were tricked into kissing chimps; and I mean full on kissing in some cases not just a peck on the check.
The point is this. The security industry has to stop human pattern matching. When we find a vulnerability we have to stop associating it with the worst case and announcing that the the sky is falling. When we discover a potential business impact we must stop associating it with Enron or TJ Maxx or other well known worst case scenarios. We have to apply the scientific method of analysis. We have to top and think and not pattern match The security industry is rapidly becoming the boy that cried wolf in the eyes of others.
I of course end my clarifying that I am not suggesting that computers don’t do a good job of pattern matching. Code analysis, IDS etc all provide valuable and meaningful services and do a decent job.
Next post in the series will be tomorrow.
This post is one of ten from a series 10 Crazy Ideas That Might Just Change the State of the Security Industry.
In the West when we get ill we go to the Doctor. The Doctor (directly or indirectly through medical insurance) charges a fee (diagnosis and treatment) to make you better. You pay when things are wrong.
In Chinese medicine the model is reversed. The Chinese Doctor charges patients when they are well. When they are well he is successfully executing his job. When the patient is ill they no longer pay until they are better.
There are clearly some significant fundamental shifts that would need to take place for this to work. There would need to be a shift of decision making power from the systems owners to the security advisors for instance. There would need to be a clear framework defined in which business and security decisions are made but imagine as security world where the security industry only gets paid when they positively protect companies!
The next post in the series will be tomorrow.
The week before last I got to deliver the keynote speech at the Hack in the Box conference in Amsterdam. For a while I have been keeping notes of crazy ideas as I think if them that might just change the state of the information security industry and it was a good time to start sharing the list. I am fully aware that these ideas will be seen by many to be anything between the range of visionary to delusionary and I am totally fine with that. In one lens its a light hearted list of fun quirky things and in another lens it’s a far sighted list of things that “might” just work. 
While they are a diverse list I do think that they represent ideas that could cost a relative low amount of money and have a relative big impact. An opening slide hopefully illustrates that point in a humorous way. And while setting the tone that these are indeed big ideas its worth remembering that big ideas do actually happen. The image below is of Ali Maow Maalin. In 1977 Ali was the last person in the world known to be infected with naturally occurring smallpox. Smallpox has been the deadliest disease in history. Between 1900-1979 500 million victims died with 15 million per year in 60s and ½ of all blindness in Asia directly attributed to Smallpox. Over the last 20 years the World Health Organization launched a campaign and today most young people have never really heard of Smallpox. If we focus our attention on big problems we can make a big difference. Thanks to Adam Shostack for the information about Ali and Smallpox.
Over the next ten days I am going to post a blog post each day on each of my ten big ideas along with the slides and relevant commentary. The speech was videoed so if you want to see me deliver it live (along with the colorful football slides at the beginning) you can stream the video from here when the video is posted. The slides are already online but if you have seen me present you will know that apart from some cool photos I present with words and stories and not bullets or text.
I hope you enjoy the series and that the ideas provoke some discussion and maybe even action!
My 10 Crazy Ideas That Might Just Change the State of the Security Industry are;
# 1 – Adopt the Chinese Medicine Business Model
# 2 – Stop Human Pattern Matching
# 3 – Community Driven Statistical Modeling
# 4 – Teach Kids Security
# 5 – Make Developing Countries Security COE’s
# 6 – Make Hacking a Competitive Sport
# 7 – Build a Connected Information Security Framework
# 8 – Design Driven Security
# 9 – Crowd Source Access Control
# 10 – Adopt Agile Methodologies
My two previous posts Installing and Configuring Ruby 1.9 from Source Using Cygwin and Installing and Configuring Rails and MySQL under Cygwin are proving to be useful to both me and some friends as a reference for getting a Rails development environment up and running on Windows quickly so this is the last in the series aimed at getting the IDE installed and configured to use GitHub for source control.
I have messed around with a number of the Ruby IDE’s (e-TextEditor, NetBeans & Aptana) and settled for RubyMine. If you are a .NET developer it’s the same folks who make Re-Sharper.
Installation is easy. I am using the EAP build 96.552.
Once installed there a few things worth checking. The first is making sure you are pointing at the right version of the Ruby interpreter. From the file menu you select Settings and navigate to the Ruby SDK and Gems section. Given I have setup everything under Cygwin I want to make sure I targeting the Ruby interpreter in my Cygwin environment.
After this I can now install Gems from within the IDE such as the beta of Rails 3.0.
Next up is installing and configuring Git and using GitHub to manage code. Git will use SSH to setup a secure tunnel to GitHub. RubyMine comes with a built in SSH client but again in keeping with all running under Cygwin I change it to use the native SSH. You can also check to make sure that RubyMine can see the Git installed under Cygwin.
When you have your account on GitHub you will see under Account Settings your SSH keys.
To generate your key simply go to the Cygwin prompt and type ssh-keygen and follow the simple prompts.
After you have completed the section you will need to open the public key and paste it into the GitHub UI. There is a great tutorial on GitHub about doing this http://help.github.com/msysgit-key-setup/,. Before you do anything in RubyMine you need to SSH to GitHub and setup the Cygwin SSH to add the site to the list of hosts that it trusts. If you don’t do this before trying to clone a repository it will just hang !
Once completed you can test your setup by simply create a repository on GitHub and copy the clone URL. In RubyMine go to Version Control and clone repository. If everything has gone well it will check it out and you will be up and running!
Comments (2) 
Themocracy