Infohazard - Ontological Waste

as Defcon 19 lurks just around the next corner, the 20th anniversary of one of the worlds top three most famous hacker conferences is now just over the horizon of the year. Anniversaries are a good cause for celebration, and reminiscing, with a touch of disbelief that we've really been doing this all for this long.

As a good friend of mine once quipped at defcon itself, almost a decade ago now :- "You know how you become old-school? you wait!". I know more than a few people who've been in this microcosm of weirdness called Information Security and the Hacker Culture for these past 20 years or so, that would shake their heads alongside me, to consider that we are the Old School now. Certainly when I first discovered this world in late 1990, I quickly saw much evidence that the Golden Years had come and gone, and all the major events, and most interesting people, were things I would only ever experience in historical accounts.

How wrong I was.

Although I'd missed many of the legendary firsts of the time, the coming decade brought more than enough activity of its own with the explosion of the internet out to consumer-access, and security, far from getting better, careened around the corner and over the hill into a wild descent of complexity, hyperbole and the pursuit of the quick buck. Robert Morris Jr's Internet Worm, was not the great educator that would happen merely once to demonstrate the risks, that everyone would then engineer out of further possibility, but the harbinger of dark times down the road.

And perhaps, if I had been less of a naive kid during those times, I may have even set myself down a different career path instead...

(...oh, who am I kidding? I wouldn't exchange this one for anything; just the people you meet in this field alone, make the whole thing worth it).

Back in 1992, when the first DEFCON was put on, with a handful of friends (in comparison to the multitudinous hordes of today), I was making my own first steps towards fame and notoriety, putting together a new Amiga Demoscene group with fellow friends from my hometown in the North of England: NERVE AXIS. The Demoscene had ties to the hacking/infosec scene, with a common turf of being on the 'computer underground', there was some crossover at various points, especially in the phreaking area (remember, this is pre-public internet access, so access to long-distance modem calls was a staple of keeping the scene's underpinnings of distribution of our productions alive). The Demoscene however, had much more focus on the 'maker' aspect of the term hacker, we developed software, we wrote music, drew graphics, and produced A/V demo's that still stand on their own rights as engrossing productions in the modern day.

Many of the people from the Demo scene, have gone on to become big names in the video game industry, having cut their teeth on complex matrix math transforms, on a 1mhz CPU, or creating some of the best images seen, on a 320x240 screen. Likewise from the hacking scene, people who 20 years ago were cracking video game copy protection code, are creating entire reverse engineering application suites today.

And soon the end of the decade, and fin de siecle came upon us, the DotCom boom coming at the perfect time for many of us to find high paying employment well beyond our years at the time, but not always beyond our experience. The explosion of the internet and the need for people with a security background, far outstripped the number of people with any formal education in the subject and those with formal education largely lacked the applied experience to deal with the rapid rewriting of the threat space occurring in lockstep with the technological evolution. Threats that were purely hypothetical (and often sounded ridiculously distant from reality), could reach viability within a year or two at the most; adapt or die soon became the prime mantra.

As the decade rolled in, we saw the brief era of massive self-replicating works: blaster, slammer, l10n, nimda, code red (all red-letter days to those of us that were on the job, when these hit); none of them however, carried (by today's standard) a particularly destructive or malicious payload, they were like proof of concept, load-balancing tests - case studies in digital epidemiology, providing future data for both defenders and attackers alike. Early Rootkit techniques and technology soon began to find a wider audience beyond the scope of the elite few - corporations that dealt in that most annoying (but essentially harmless in comparison now) of software, Adware, soon began to realize that if they could make their surreptitiously installed software that much more difficult to remove....

Other games changed as things went on, system administrators got wise to the wild and woolly internet, mail servers were no longer left as open relays, internet facing servers became hardened, blacklists of known spam sites were arranged - the criminal adapted, and combined smtp spam-pushing into their adware, and the command and control functions to organize it; the botnet was not born here, but this is where it went to school.

OS-Level and network-stack vulnerabilities, so prevalent in the late 90's, as many vendors saw their products subject to 'review by public network connectivity' came and went as the primary exploitation vector, major service software followed shortly after. (not to say these vulns are wiped out, but their prevalence is greatly diminished due to extensive audit and review in recent years). But Operating Systems and major service software (IIS, Bind, Apache, etc) are a fairly finite set of surfaces to harden... but therre are millions of applications out there....and sure enough, application and client-side security issues soon took forefront. Not least of all, that most unpredictable, undefendable client-side vulnerability, the client themselves, between keyboard and chair.

But mostly, mostly, a whole slew of people decided to get into Information Security as a career.

For me, I think the watershed for this influx of newly-minted infosec people, was 2005 - malware was evolving to a new level of nastiness, the technical colleges were in full-swing with their new two-year degrees for things like 'cybercrime investigator', and the giants of the technology sector, were in full swing gobbling up every new infosecurity startup they could get their hands on (and, in my opinion certainly, crushing any of the truly good ideas and talent out of them in the process, but that's a topic for another time).

The problem with the commoditization of a skillset, the transition from craftsmanship to tradesmanship, is often that it comes with an accompanying loss of passion and curatorship for the whole sum of the field; when people do something purely for the paycheck, there is little interest in knowing any more than is necessary to fulfill a role and perform the immediate task at hand. I don't meet many chartered accountants with a collection of antique abacii, who can educate me about accounting practices of the Roman Empire at the height of its power, but If you do meet someone like that, you've just found the best accountant you know, he's a craftsman.

The Infosecurity field is still in the midst of heavy evolution, re-learning many of the same things learned decades ago in other fields, the maturity of the field is barely tangible even today (and again, this is a topic for another time), and this year so far has been a heavy lesson in just that very point.

2011 has been the year of 'everything old is new again', mass hacks using ancient techniques, drama about Charlatans in the business making a lot of noise, plagiarizing other people's work, misinforming people and taking their money, vocal groups involved in public clashes with one other, the list goes on.

The amount of hand-wringing and punditry about the significance of these events from the media, has been predictable and excusable for their ignorance; the same level from people holding jobs in information security, less so...it's almost as though... they don't remember these things the first time around? Ok, that's understandable perhaps, there are many people that have just come recently into infosec within the last decade, who don't have a broad background in general IT work beforehand (and there's my third topic for another time), but surely, they've done their research, learned their history on the events that preceded them? Sadly it seems that this is becoming more and more rare. Indeed, I have had serious conversations with folks coming directly out of college, and into a security career, that when i press them about their tunnel-vision around malware being the be-all/end-all of secutity work, asking them what they thought security people before the prevalence of malware, have proceeded to ask me (with a straight face) "there were security problems before malware?"...sigh...

As I started this article out with, even in my early days, I was fascinated by what had gone before; as time went on, being able to speak to some of those things, and give a reasoned opinion as to their significance and discuss the known details, garnered me respect and conversations with people that would have ignored me had I not demonstrated knowledge of our predecessors. As time went on and I encountered things that were new (to me), the comparisons to prior events was clear and the ability to contextualize things through that information repeatedly demonstrated its value. As the saying goes Those who do not learn from history, are doomed to repeat it, and this wisdom applies as much in a technical field as it does in the theater of world history.

Watching people lose their heads this year has been... interesting.. more so because this entire year resembles 1999 all over again, to so many of us who remember working in this field in 1999.Sadly this has been proof positive for many of us, that we really haven't learned or achieved very much across the industry in those 12 years, when so many of the old techniques still work, the old problems still prevalent; in any case, this repeating of events past gives us an opportunity to do-it-right-the-second time, and identify what we didn't do correctly (or sufficiently) back in 1999 that would have set us on a different course than we find ourselves on today. This isn't something that unequivocally requires the practitioner to have had direct experience in the field back in 1999, merely do have at least done their research into what happened during that year; they may not have access to all the information that direct experience would provide, but it's a step up from the chicken little approach.

So, many paragraphs later, here's my word to the wise, for everyone who joined the security field in the 21st century: study your history, learn from those who came before you, and process that info. Dare to have an opinion and have enough knowledge to discuss things you only know from history, you'll open up lines of conversation with your peers you'll only learn more from. Put in the effort to be knowledgeable not only about the technical aspects of your field, but the social and political ones too. Not falling into the conceit of believing that only what is happening today is of importance will develop a clear head and a sense of perspective that are vital in this field. Work on these things with as much attention as technical skills and your peers in the field will credit you with far more experience and wisdom than you really have, for all the right reasons.

Finally all that's left, to become an old-school security practitioner (or anything else for that matter), is..

...you wait.