Hey internet friend. As always I want to start by writing that Black Lives Matter! As usual if you want to skip to the dog picture, click here. I wanted to write a bonus post because it was brought to my attention that it had been a long time since I wrote anything about computers or information security. While I have plenty of good excuses reasons for not posting on that subject, instead I wanted to do something positive about it, and thus this post. I am going to share with you perhaps the biggest lesson I have learned in all my years of working in computer security. Ready for it? I am going to write it over and over again so there will be plenty of time to catch it if you miss the first time.
Everything old is new again.
Most of the problems that computers have (or that we have with computers) are actually problems with the people who operate, maintain, and/or program them. Put a different way, frequently the most complicated issues are people problems and not technology problems. But I am getting ahead of myself. What I really want to write about is this talk from GrrCON 2012 by the late Mike Kemp. While it is VERY NSFW (and some of the rude language has aged like milk), it is still one of the best talks on computer security that I have ever seen, and I try to watch it at least once a year. There are very important things in this talk, but my biggest takeaway is that some things don't change and frequently everything old is new again.
Much of the stuff that Mike says about the information security industry is still true today. Ultimately what I understand better now than I did five years ago is that the name of the game is risk. It is all about doing your best to secure your systems to the best of your ability, and where you are not able to do so, you must explain the risk of not going all the way to the people who can allow you to do that. If, however, they accept the risk, there is not much you can do outside leaving the firm.
To change direction a little bit, there are some things in the talk that are still very true today. Because of the nature of the work I have done for the last few years, I cannot be too specific about what I am talking about. Except what I can say is there are some great opportunities to do cool stuff with legacy equipment.
Maybe in the future, I will be able to give a fireside talk and go into detail about some of the cool stuff I've been able to see and do in my career. However, given that this is the internet and anyone can read what I write, I will remain vague and just say that, in the past, I've had lots of fun with legacy technology. Hopefully in the future I will be able to get my hands on it again, and in a capacity where I can be more open about what I mean. Ideally, that would mean being able to give talks on the cool stuff I am doing, or write papers about what I want to break. Guess we will have to wait and see what the future holds!
Turning back to the topic at hand though, everything old is new again. Many times new vulnerabilities are inspired by old ideas. Or exploits are chained together from old mistakes. Not unlike how in philosophy we are frequently standing on the shoulders of giants. If you look at the OWASP Top Ten, you will notice that some of these vulnerabilities or vuln types have been around for years and years. People regularly find old vulnerabilities in new software because no one knew not to include it (or what not to include).
What I am trying to tell you is this:That is what I wanted to share with you, internet friend. This is a big chunk of what I have learned over the last few years, and what I have been thinking about lately. If you dug this post, might I suggest go out check out some YouTube talks on legacy stuff. Then tell me what you did in your own blog post, and let me know and we can start a web ring!
Thanks for reading, and I hope you have a great day. Cheers!