Selasa, 21 Agustus 2007

What Hackers Learn that the Rest of Us Don't

I read a great article in the July/August 2007 IEEE Security and Privacy magazine titled "What Hackers Learn that the Rest of Us Don't" by Sergey Bratus. He contrasts developers and academic programs with what "hackers" do. For example:


  • Developers are under pressue to follow standard solutions, or the path of least resistance to "just making it work."

  • Developers tend to be implicity trained away from exploring underlying APIs because the extra time investment rarely pays off.

  • Developers often receive a limited view of the API, with few or hardly any details about its implementation.

  • Developers are de facto trained to ignore or avoid infrequent border cases and might not understand their effects.

  • Developers might receive explicit directions to ignore specific problems as being in other developers' domains.

  • Developers often lack tools for examining the full state of the system, let alone changing it outside of the limited API.


I really resonated with this statement:

In a typical academic setting... an ever-increasing number of topics limits the time the students and teachers can allocate for any specific one.

My comment: in contrast, attackers obsess over minute, specific aspects of a target, which ultimately allows them to beat defenders.

Let's contrast developers with "hackers."

  • Hackers tend to treat special and border cases of standards as essential and invest significant time in reading the appropriate documentation.

  • Hackers insist on understanding the underlying API's implementation and exploring it to confirm the documentation's claims.

  • Hackers second-guess the implementer's logic.

  • Hackers reflect on and explore the effects of deviating from standard tutorials.

  • Hackers insist on tools that let them examine the full state of the system across interface layers and modify this state, bypassing the standard development API. If such tools no not exist, developing them becomes a top priority... Interest in the internal workings of various programming language mechanisms is characteristic of the hacker approach.


Let's contrast these hacker characteristics with this "Hot Jobs" column I found in CIO Magaine:

Hot Jobs: Windows Administrator

Job Description: A network administrator who is primarily concerned with software and whose responsibilities include security, implementing network policy, managing user access and network troubleshooting, as well as designing, installing, configuring, administering, and fine-tuning Windows operating systems and components across an organization. Some career experts say the evolution of IT’s business role makes this job a possible career path to CIO.
(emphasis added)

Stopped laughing yet? It gets better:

Desired Skills: Knowledge of Windows Server 2003, Microsoft Exchange, domain and configuration controllers, global catalogs, LDAP (Lightweight Directory Access Protocol) and Active Directory. Minimum education is two-year degree in computer science; general business degree with software training also valuable.

This is an entry level position that requires a two year CS degree... or a business degree? This is mentioned elsewhere:

This is a job where an employer can bring in people with a basic degree in computer science or a degree in business with a computer background and grow their own to a greater extent than some other areas. (emphasis added)

I realize this is CIO Magaine, advocate of the multitalented specialist, but please.

In one corner, hacker. In the other, person with "degree in business with a computer background." Who is going to win here? If I'm going to hire a Windows administrator, I don't care if he/she has a degree, let alone a business degree. I want a person who can administrator Windows.

This "business focus" is getting way out of hand. CIO, absolutely. CISO, yes. Directors, to some degree. Front-line administrators? Forget it. I want technical domain knowledge. Why do I not see financial people being told to get CS degrees with a financial background? After all, they use computers?

0 komentar:

Posting Komentar