A while ago I pondered starting a weblog devoted to security. I occasionally feel the need to write something about this subject and I was worried that my one loyal reader would probably get bored stiff if I wrote too much in amongst my generally pointless rants.
My problem is that I know more about security than you. I am pretty safe in saying this unless you are one of a handful of people, all of whom I could name and none of which would be reading my weblog. Don’t get me wrong – If you are an expert in Linux, I bet you know tonnes more about Linux security than I do and I know 12 year olds who know more about modern hacking tools and methods than I ever will. The problem is that these specialisms don’t make good all around security experts; experience and exposure does and if nothing else, I have a lot more of that than most.
I got an email from an old adversary of mine today and part of my reply got me thinking about how I view a profession I used to be very much involved with. I quote:
“My former industry is full of self-publicists who are dreadful at
what they do; I care nothing at all for them and their paranoia
fuelled money making machine. I’ll stick with breeding camels and
just drag myself back into security when I need to eat occasionally,
but even so I don’t much think that will last.”
I’d like to write about security. As an odd kid working out better ways of nicking things or how to open locks I wasn’t meant to open, I have always been interested in the topic and I have devoted most of my adult life to it. When I was at school and a teacher of mine suggested that I manage the school computer systems as an alternative to trying to pull them to bits to see how they worked; I had no idea that a few years later I would be in the position to happily ignore fax requests for help from the FBI because they refused to give me a cool baseball cap or getting hate mail for working with the government to get Universities to prosecute hackers under the then new Computer Misuse Act (an action on my part which was very misunderstood since I was actually more on the side of the students trying to make sure that they received a fair trial where the Rules of Evidence applied). Incidentally, we haven’t even hit the 1990s nor the start of the Internet in the UK yet.
I am not blowing my own trumpet here, I don’t like blatant self publicity and it’s certainly a bad trait in a security person anyway. That said, I am going to talk about me. It’s my weblog and if you don’t like it, then stop reading. I am making a point that I don’t like being told I am wrong by somebody who got a degree in Computer Security from Wigan Polytechnic in 2005 and then spent a few months getting a bunch of commercial “qualifications” consisting of seemingly random letters from computer-equipment manufacturers and then gets employed by some company and given a job title with the word manager, or consultant in it.
In my previous jobs I was surrounded by ’em. I’d go to meetings to be told I was wrong by people who didn’t have a clue what they were talking about. I wasn’t wrong, I am rarely wrong about things I profess to know something about. At BT, we had a chap who I will call John (mostly because that is is name). He didn’t go to University, he didn’t have a single security qualification and he knew very little about computers, networks or telephony. He had, however, spent more than 10 years as a soldier in Northern Ireland on constant active duty. I had been told by my colleagues that John was a jobsworth and something of a tosser and although his job was to give security advice for high-profile projects, he shouldn’t be consulted. I ignored them and decided to talk to him one day about a system I was building for one of the country’s biggest banks. It was a pretty good design and there weren’t too many flaws that I could see but as soon as he saw it, he started asking questions that other people hadn’t thought of and prompted me to make a lot of changes for the better. He didn’t know about anything like as much about technology as the people I was surrounded by but he did have a much better appreciation of security in general and he knew what questions to ask and wasn’t afraid to ask them. Although he doesn’t know it, it was him who prompted me to get more military training to increase my skill set. I would say thanks but he’ll never read this; I don’t think he knows how to use a web browser.
It’s become an odd industry. We are talking security here and security is meant to be quite important in the modern world. There are billions of pounds flying around the world at any given moment and as you see every time the government accidentally sells a few million people’s personal details at a carboot sale, there are people who actually worry about this sort of thing. Who is protecting all this money? Who’s looking after your personal details? Generally speaking, it’s the people with the Wigan Poly degree I am afraid. They don’t have a clue what they are doing and in the rare cases where somebody who does have a clue gets to contribute, the babbling rabble who are shouting out “We can do it for you on a Linux box for 50p” will win the day anyway since it all ultimately comes down to money.
I am not going to start a security weblog. I am not sure there is much I could write that hasn’t already been butchered by the Wigan Polytechnic Press. I may still write about security things but I will just do them as normal rants.
Now you know.