Inside the perverted mind of a security professional
Uncle Milton has been selling ant firms to children since 1956. A couple of years ago I remembered how I opened one of them with a friend. There were no ants in the box. Instead, there was a card in it, in which you had to enter your address, and the company would send you a little ant. My friend was surprised that you can get ants in the package.
I replied: “What’s really interesting here is that these people will send the phone with ants to anyone who asks them.”
Security requires a special way of thinking. Security specialists - at least good - see the world differently. They can not go to the store without noting how they can steal goods from there. They cannot use a computer without thinking about vulnerabilities. They cannot vote without trying to figure out how to vote twice. They just can't do anything about it.
')
SmartWater is a fluid with a unique identifier associated with a particular owner. “The idea of ​​painting my values ​​with this substance to prove that they are my property suits me,” I wrote when I first learned about the idea. “I think it will be much better for me to color your valuables and then call the police.”
Indeed, we can do nothing about it.
This type of thinking is unnatural for most people. It is unnatural for engineers. Present engineering involves thinking about how to make things work; the mindset’s thinking includes thinking about how to make things break. It includes ideas like an attacker, an adversary, or a criminal. You do not need to exploit the vulnerabilities that you find, but if you do not see the world in this light, you will never notice most of the security problems.
I often thought how much of this is innate, and what can be learned. In general, I believe that this is a certain point of view on the world, and it is much easier to teach someone a specific area - cryptography, or software security, or falsification of documents than to teach him how to think about security.
That is why CSE 484, the basic course on computer security that is going on this quarter at the University of Washington, is so interesting to watch. Professor Tadayoshi Kohno is trying to teach this mindset.
You can see the result in student blogs. They were encouraged to write reviews of the safety of random things: smart pill boxes, tracking systems, Quiet Care Elder Care, Apple TimeCapsule, GM's OnStar, traffic lights, banking cells, and dorm security.
The latest review talks about car dealerships. The author described how she was able to get service for her car, simply by telling the person on duty her last name. After that, any ordinary owner of the car would be happy for the simplicity of the return of her car, but someone with a safeguard’s thinking will immediately think: “Can I really get the car just by knowing the name of the one whose car is being serviced?”
The rest of the blog posts tell you how to steal a car, exploiting this vulnerability in security, and whether the seller needs to be so vulnerable.
You can find fault with the analysis - I’m wondering what the dealer has to do, and whether their losses do not cover any losses - but this is all a specific area. The important point is to notice, and then ask questions; safety comes first.
A lack of security-oriented thinking explains weak security in: election machines, electronic payment cards, medical devices, ID cards, Internet protocols. Developers are so busy making systems work, that they don’t stop, to notice how systems can break, or be broken, and how these failures can be exploited. Developing a security professional will help developers develop an important role in making future technology systems more secure.
This is obvious, but I think the mindset of a security professional is useful to many. If people can learn how to think outside their event horizon and see the big picture, whether in technology or politics or in everyday life, they will be more sophisticated consumers, more skeptical citizens, less trusting people.
If people had a mindset aimed at security, services that reveal personal data would not have such a stake in the market - and Facebook would be completely different. Laptops with millions of unencrypted social security numbers would not be lost, and in the worst case, we would be faced with less severe security problems. The power grid would be more secure. Personality theft would come to naught. Medical records would be more private. If people had a mind-set on security, they wouldn't try to look at the Britney Spears medical records, as they would understand that they could be caught.
There is nothing magical about these university classes; Anyone can train their way of thinking of a security professional simply by looking at the world from an attacker's point of view. If I wanted to avoid this particular safety device, how would I do it? Could I follow the letter of the law, but bypassing its meaning? If the person who created this advertisement, essay, article, or documentary, was dishonest, how did he do it? And how can I protect myself from such attacks?
The way a security professional thinks is a valuable skill from which everyone, regardless of specialty, can benefit.
I replied: “What’s really interesting here is that these people will send the phone with ants to anyone who asks them.”
Security requires a special way of thinking. Security specialists - at least good - see the world differently. They can not go to the store without noting how they can steal goods from there. They cannot use a computer without thinking about vulnerabilities. They cannot vote without trying to figure out how to vote twice. They just can't do anything about it.
')
SmartWater is a fluid with a unique identifier associated with a particular owner. “The idea of ​​painting my values ​​with this substance to prove that they are my property suits me,” I wrote when I first learned about the idea. “I think it will be much better for me to color your valuables and then call the police.”
Indeed, we can do nothing about it.
This type of thinking is unnatural for most people. It is unnatural for engineers. Present engineering involves thinking about how to make things work; the mindset’s thinking includes thinking about how to make things break. It includes ideas like an attacker, an adversary, or a criminal. You do not need to exploit the vulnerabilities that you find, but if you do not see the world in this light, you will never notice most of the security problems.
I often thought how much of this is innate, and what can be learned. In general, I believe that this is a certain point of view on the world, and it is much easier to teach someone a specific area - cryptography, or software security, or falsification of documents than to teach him how to think about security.
That is why CSE 484, the basic course on computer security that is going on this quarter at the University of Washington, is so interesting to watch. Professor Tadayoshi Kohno is trying to teach this mindset.
You can see the result in student blogs. They were encouraged to write reviews of the safety of random things: smart pill boxes, tracking systems, Quiet Care Elder Care, Apple TimeCapsule, GM's OnStar, traffic lights, banking cells, and dorm security.
The latest review talks about car dealerships. The author described how she was able to get service for her car, simply by telling the person on duty her last name. After that, any ordinary owner of the car would be happy for the simplicity of the return of her car, but someone with a safeguard’s thinking will immediately think: “Can I really get the car just by knowing the name of the one whose car is being serviced?”
The rest of the blog posts tell you how to steal a car, exploiting this vulnerability in security, and whether the seller needs to be so vulnerable.
You can find fault with the analysis - I’m wondering what the dealer has to do, and whether their losses do not cover any losses - but this is all a specific area. The important point is to notice, and then ask questions; safety comes first.
A lack of security-oriented thinking explains weak security in: election machines, electronic payment cards, medical devices, ID cards, Internet protocols. Developers are so busy making systems work, that they don’t stop, to notice how systems can break, or be broken, and how these failures can be exploited. Developing a security professional will help developers develop an important role in making future technology systems more secure.
This is obvious, but I think the mindset of a security professional is useful to many. If people can learn how to think outside their event horizon and see the big picture, whether in technology or politics or in everyday life, they will be more sophisticated consumers, more skeptical citizens, less trusting people.
If people had a mindset aimed at security, services that reveal personal data would not have such a stake in the market - and Facebook would be completely different. Laptops with millions of unencrypted social security numbers would not be lost, and in the worst case, we would be faced with less severe security problems. The power grid would be more secure. Personality theft would come to naught. Medical records would be more private. If people had a mind-set on security, they wouldn't try to look at the Britney Spears medical records, as they would understand that they could be caught.
There is nothing magical about these university classes; Anyone can train their way of thinking of a security professional simply by looking at the world from an attacker's point of view. If I wanted to avoid this particular safety device, how would I do it? Could I follow the letter of the law, but bypassing its meaning? If the person who created this advertisement, essay, article, or documentary, was dishonest, how did he do it? And how can I protect myself from such attacks?
The way a security professional thinks is a valuable skill from which everyone, regardless of specialty, can benefit.
Source: https://habr.com/ru/post/134418/
All Articles