Tuesday, December 9, 2008

The art of war

Although there's nothing nice about war, I'm using the title of Sun Tzu's famous work to raise this point: Is information security a science, or art? According to Ira Winkler of ISAG, it's definitely science, but I beg to differ. Ira raised this issue in a presentation a few months ago, and we debated this issue for a while.

According to Ira, dealing with information security is purely scientific. You learn the technology, tools, techniques and methods of the field. Whether you put that info to good or bad use is another matter, but at the bottom line, it's about knowledge and the ability to apply it.

If you ask me, I believe that hacking, and defending against hackers, is a lot more of an art than you might think. That's not to say it's not a science, but that it's much more than science. No doubt that to be any good at either side, you must learn the ropes. You need to learn your TCP/IP, understand networking, get familiar with tons of products, as well as their strengths and weaknesses, This, however, is just the first part. If you think about it, every major form of art is based on a lot of technical know-how. If you want to paint the new Mona Lisa, you need to learn how to stretch that canvas on the frame (yeah, today you can buy it pre-stretched, but you catch my drift, right?), select your colors, mix them properly, choose the brushes and start painting. To do it right, you should also learn some color theory, use of perspective and composition, the golden ratio etc. It's certainly possible to create a painting without any of those by just using a pencil or crayon and a piece of paper, but in most cases the outcome will be no more pretty, interesting or relevant than guessing someone's "1234" voice mail pin.

Basically, what I'm saying is that any art is based on some sort of technique that needs to be learned and perfected, and that while many people learn the principles of information security very thoroughly, only a handful of them have the skills to transcend the science and make it into art. This goes both for the hackers and crackers, and those who defend their company against them. It doesn't take much to install and configure a firewall, neither does it take much skill to run some well-documented exploit and break into something, but to be able to inventively use the existing technologies to circumvent a security mechanism or build an effective protection against undocumented or yet-unknown attacks is something else.

For example, let's take the well known SAMY worm that has been written by Samy Kamkar. This worm did not cause significant damage to anyone or anything, so it's a good example of a piece of art. MySpace is very well protected from users running most script commands, and so creating this worm took a lot of inventiveness by Kamkar. He spent weeks on weeks developing his code to circumvent all the various mechanisms, often inventing clever ways to sneak commands through the complex filters used by MySpace. Reading the final code (http://web.archive.org/web/20060208182348/namb.la/popular/tech.html) is not easy even for experienced web developers, but it's clearly a piece of digital poetry. A conventional poet would hunt for new metaphors or synonyms to express himself with rhyme and rhythm, similarly to how a worm writer looks for pieces of code that will "work", and that's the difference between the MySpace security team and Kamkar. The security team were just updating the filters occasionally, whenever a new way to sneak-in code was discovered. Similarly, most security managers update their systems or modify their configuration when new patches or attacks are discovered, but a rare few are as active as the hackers, spending their time researching and trying to come up with new better ways to secure their systems. One such guy, who manages security at a bank I once consulted to, was a perfect example. He spent almost no money on security products, and instead wrote mountains of scripts that blocked every attack I was aware of, and also quite a few things that were only theoretically possible back then.

Don't get me wrong - despite my praise for Karmar's work, I don't condone worm writing, and I don't mean to glorify the horrible things done by virus writers. What I am saying, though, is that hackers ARE artists, and to be able to fight back effectively, we need to become at least as artistic, or we'll always be on the defense. Maybe that's one of the reasons so many ex-hackers are making it so well in the security-officer profession? How to transform oneself from a technical expert to an artist is something that I can't tell anyone how to do, but it's certainly possible. Maybe as a first step, the CISSP certification should include some philosophy lessons, or at least a mandatory reading of the Art of War...

No comments: