On the eternal sunshine of a security mind..

I’m not sure that the terms “security” and “research” could be combined in proper academic fashion. Recalling my Ph.D. days, I’ve had some frustration when I was to cite “non-proper” named sources that contributed to my research…However, I couldn’t stop laughing sometimes like this.

Much tempted by the advances of offensive security during the last 3 years, I like to see that our ‘race’, the security people (or those who cannot describe their profession, if so…) focuses on practically proving exploitable vulnerabilities with a -rather strange- touch of  -rather strange- “humor” (non-understandable by other human species). We’ve started to separate  ourselves from cryptologists, and that’s an advance we’ve been waiting for years…

sneakers-janek-01

At December 30th, 2008, during Chaos Communication Congress in Berlin, a team of enterprise-class security researchers proved the creation of a rogue CA, exploiting short chosen-prefic collisions on MD5 algorithm, horrifying major Internet vendors like Microsoft, Cisco, VeriSign and Entrust. They made it practical, using a cluster of 215 Playstation 3 machines, not formulas or simulation.

One year later, at December 30th, 2009, again during the Chaos Communication Congress in Berlin, Nohl and Paget decrypted A5/1 ciphers used in GSM, again putting a massive worry on approx. 4 bn subscribers. They also made a demonstration, inviting people to bring GSM sniffs for decryption (…).

Of course, the industry will keep arguing on those offensive security research, by exaggerating on the horror-frame, eventually turning anxiety into dislike (I can’t be sure how a Nigerian lunatic on an airplane can be a more serious issue than the aforementioned security advances though..)

Bottom line: security research is changing, and we should start realizing the difference lies in perception. Born in Mathematics and raised in Computer Science, Information Security is becoming a science of its own.

And it’s the security attitude that makes a great difference – Quoting uncle Bruce: “Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities. They can’t vote without trying to figure out how to vote twice. They just can’t help it.”

Really, we can’t help it but… I believe we’re the only race capable of breaking our narrow focus and seeing the big picture: on technology, on ethics, on politics, on social issues.. We do it by either use some Playstation 3, create music from exploit code or simply travel around the world and talk about this…

We can’t help it…

One response

Leave a Reply

Your email address will not be published. Required fields are marked *