Last week, I returned from maternity leave to fly to the land of beer and chocolate (Belgium), as the invited opening keynote speaker for BruCON 2012. Keynote speeches I have enjoyed hearing in the past tell stories, and are ideally only deliverable by the exact person giving the speech – which is to say, the stories are personal. Below is the text of my speech in its entirety. I hope you enjoy my stories as input to the just-in-time rendering of your own story.
September 26, 2012 – Gent, Belgium:
Thank you. It is my honor and pleasure to be here at BruCON 2012. Thanks very much to Wim and all the organizers for putting on a great event, and for inviting me to speak to all of you about some of my experiences and perspectives.
I’m Katie Moussouris, and some of you may know me in the context of the past few years at Microsoft as the head of Microsoft’s security community outreach and strategy team. What that means is that I help Microsoft understand and have positive interactions with the security researcher (or “hacker”) community.
Before Microsoft, I spent about seven years as a pen tester – first as an independent security consultant, then as one of the Artists Formerly Known as @stake. After Symantec acquired @stake, we jokingly referred to ourselves as “SymStake.”
But now I’m a security strategist, and my team at Microsoft runs the internal security-research conference called BlueHat. The idea for that conference was pioneered by Window Snyder when she worked at Microsoft. We invite hackers to come to Redmond and educate the engineers and executives on current and emerging threats.
I founded Microsoft’s third-party vulnerability research program (MSVR), and Microsoft security researchers have been getting hundreds of vulns fixed since 2008 through that program. As an individual, I have managed to convince the ISO community to elect me the editorof an upcoming international standard on vulnerability handling processes -- basically the steps vendors need to take to thoroughly triage, investigate, and remediate vulns.
Last year, my team and I launched the BlueHat Prize, the first defense-oriented competition aimed at finding new runtime mitigations for open problems in modern exploitation, like Return Oriented Programming. As you know, these exploitation techniques can be used to bypass the current best mitigations on any platform. Microsoft gave the winners over a quarter million dollars in cash, awarded at this past BlackHat. To my knowledge, the Grand Prize of $200,000 is the largest cash award for security research ever paid in a single chunk to an independent security researcher by a vendor.
(Didier Stevens, who is running the Windows x64 workshop here later today, was one of the excellent contestants. Be sure to check out his workshop here at BruCON.)
So now you know what I do for Microsoft, but if you had told me a decade ago that I’d eventually be working for Microsoft, and on top of that I’d spend some time as an ISO standards editor, I would have laughed, turned back to my Linux box, and piped your wacky prediction to /dev/null. But something surprising happened in the intervening years -- besides me getting old. I allowed my curiosity to lead, as I always have, and to my great surprise it led right to Microsoft’s front door (even though the back doors at the time were sooo tempting!).
Let me take you back a few more years. Many of you may be too young to remember a world without Microsoft or Apple or Google. But my first computer was a Commodore 64, and to “play” with this new “toy” my mom bought me required patience and experimentation and curiosity – your basic ingredients of hacking. I had long before had all the screwdrivers in the house removed due to my insatiable curiosity around household electronic devices. Many of you probably did too – I know Fabienne did, and lucky for you, she’s running a hardware hacking workshop here at BruCON where you can satisfy that curiosity.
So, to play with this new thing, I had to focus my curiosity on peeks, pokes, and sprites – sounds perfect for a kid, right? And so began my lifelong reading of technical manuals, and the sudden need to look up the meaning of the word “syntax,” since I kept getting those kinds of errors. :-)
And so I learned BASIC and wrote some programs, but being a lonely nerdy type, at first I didn’t have ANY friends with whom I could share this geeky fun. After coding up my own Zork-like text based adventure game -- based on Choose Your Own Adventure books I enjoyed reading -- I realized it wasn’t much fun solving puzzles for which I already knew the answers. There was no fuel for my curiosity in that, and if it weren’t for the burgeoning technology that would network my computer with others, my curiosity may never have found its purchase in the computing world again, and I would have gone on to be a biochemist like my mother.
So aside from sharing some nostalgia with you, how does that relate to our world today?
In our world of computer security, both sides to the security coin must advance for any of us (attackers or defenders) to have any fun. Each side presents a new challenge to the other, fueling each other’s curiosity, in a cat-and-mouse battle royale that will outlast all of us.
It only stops being fun when you know all the answers, and by challenging each other on the offense and defense of computers, we are playing an incredible choose-your-own-adventure game – one that may or may not result in being eaten by a grue.
Fast forward a few more years. My curiosity around the newborn Internet (though that wasn’t what it was called then) led me through the phone wires to a bulletin board system run by some of the earliest computer hackers in the Boston area. These people followed their curiosity to the extreme, challenging each other and the status quo, and not only lived to tell the tale, but were openly sharing their knowledge. These were my kind of people! To this day, I can still recall my delight upon meeting some of them at my first 2600 meeting, over twenty years ago.
Now, at this point, I could fast-forward you, vaulting over the dalliance I had with biochemistry and mathematics, but I think it’s important to share some key inspiration I encountered during those years. Computer science is a young field, and computer security is even younger, but at that time I was fortunate enough to have been involved in another very young field: molecular biology, working on the Human Genome Project at MIT. What initially caught my eye during my undergraduate studies was the paper that started the genetic revolution.
The groundbreaking 1953 paper by Watson and Crick that described the biochemical double-helix structure of DNA piqued my curiosity like no other because of one phrase, used at the end of the paper, which I will share with you. This paper had a revolutionary effect on the biochemistry community -- much like Aleph One’s paper on stack-based buffer overflows, “Smashing the stack for fun and profit,” had a delightfully destabilizing effect on computer security, effects which are seen and felt to this day.
When describing the fact that they had only scratched the surface of the science of genetics, and that there was more work to be done, Watson and Crick said:
“It has not escaped our notice that the specific pairing we have postulated immediately suggests a possible copying mechanism for the genetic material.”
That sentence was the understatement of the century. The phrase “It has not escaped our notice” was a wry challenge that these biochemist hackers issued to the rest of the scientific community. They had rushed their work, racing to beat a prominent chemist named Linus (Linus Pauling, that is). They knew there was so much more out there to do, and with that phrase, they alluded to the fact that they knew their initial work was a profound portal into even greater scientific discoveries and advancements. In saying “It has not escaped our notice,” they invited the world to play in their adventure game.
At the time of their discovery, Watson was in his early twenties -- prime hacking age. Crick was older, but was exploring a new field (he had been a physicist), so his mind was as open and curious as if he were just starting out. It’s no coincidence that many of the boldest and most profound discoveries in any field are often at the hands of the youth, when their minds are in that synesthetic state where they can almost taste the music of their ideas, and the areas of the brain responsible for judgment and risk-taking are not fully mature, so they have the urge and the energy to challenge authority and the status quo.
Hackers are wonderful in that they follow their curiosity, and will boldly challenge authority and the status quo at nearly every opportunity. And without hackers discovering and sharing their knowledge of attacks, mainstream technology will continue to grow without ever developing an immune system to defend itself. We see this in the darker corners of our industry that have recently been exposed, such as SCADA or embedded systems, where a hacker can seeminglystill party like it’s 1999.... or even 1988. Attackers will attack, so defenders need to pay attention to the hackers who have a knack for showing that the emperor has no clothes…and that it’s really cold in the room.
Even as I speak, the Internet itself is profoundly different than it was even a few years ago. Now devices are talking to each other with no human interaction at a rate that if it keeps up will soon eclipse porn. I’m not just talking about tablets or smartphones and the profound societal effects that small, affordable portals to the Internet have engendered -- from enabling the immediacy of social networks updating on what you ate that morning, to sparking and carrying waves of Cultural Revolution across newly re-awakened swaths of civilization. I’m including in this “Internet of Things” your car, your pacemaker, your electric meter at your house… your running shoes…
This Internet of Things is the same as the Internet of PCs was just a short time ago – huge and wide open to abuse. So the challenge to all of us, as people who are passionate about security, is to teach and reteach the lessons of the past, even as society embraces this new wave of interconnected devices before it really knows what kind of an adventure they have chosen. For those who played Zork, this is the point at which we can “get lamp,” and thus hopefully once again dodge the grue. (The grue in our world can also be translated as “cybergeddon.”)
So for those of you on the front lines of defense, it’s not so much that you want to think of yourselves as the mouse to an attacker’s cat -- you need to be the mongoose to the attacker’s cobra, a formidable foe capable of competing and winning, by making the attacks themselves as expensive for the attackers as they are for the defenders.
Computer security defense as an industry is still more mouse than mongoose, but the field is young, and I have faith in the hacking community – not only that we will find great defenders among you, but that great attackers who use their skills wisely will be symbiotic sparring partners in our industry’s growth and evolution. I have faith that this community will turn its laser focus on technology’s threats, whether those threats are technical, legal, policy-driven, or societal -- so that we can all keep playing. We saw it with the recent uprising against botched attempts at laws like SOPA in the US, and against similar attempts at legislation in the EU.
I have found that my hacker’s curiosity has been focused by the patience gained in my old age, and that Microsoft – and even the ISO community – have become the levers by which I can help move the world. Even Mudge and Dark Tangent work for The Man now – they even admit that they ARE The Man now!
My challenge to you all today is to find your levers by which you can move the world, be they in a hacker space where you experiment with hardware and software, or in a meeting room of a giant established organization where you may feel a little out of place, or better yet – DO BOTH. It is places like BruCON that will give you a place to mingle with them all.
The security sea itself cannot swell without you filling it with new knowledge about both offense and defense. You don't just control the tides; as security folks, you are the sea.Which is convenient if you're a pirate...and judging from this group, a few of you arrrr.So, pirate or patrol ship, you ride the wakes of each other's advances, each depending on the other to raise the next challenge in order to leap forward. As hackers, you have only begun to scratch the surface of what is possible if you wield your influence with purpose and focus.
And this, my BruCon friends, is a fact that I believe has not escaped your notice.
Enjoy the con, and thank you!!