How Hackers Can Benefit IT Security
Bringing the hacker mindset into corporate IT isn't always a bad thing.
The word "hacker" is often misconstrued to be a bad thing, though that's not always accurate. That was the message delivered by security researcher Joe Grand at the SecTOR security conference today here in Toronto. Grand is also known as the Kingpin and was formerly one of the founding members of the L0pht hacker collective in the 1990s.
"I want to share the experience of being a hacker in the corporate environment," Grand told the audience. "My idealistic view of hacker is someone that is always asking questions, learning and has a thirst for knowledge. A hacker tries things that other people think are impossible and it's someone that solves problems in a clever way."
Grand noted that the media likes to co-op the term hacker for malicious people and those that attack websites. Grand does not include those type of people in his definition of hacker.
Grand's experience as a hacker started with the L0pht hacker group in the 1990s. L0pht achieved national notoriety in 1998 when Grand and six of his cohorts testified before the U.S. Senate about the state of Internet security. In the year 2000, L0pht went corporate with venture capital backing in a company called @Stake. In 2004, @stake was acquired by Symantec. Grand noted that he left @stake because he couldn't handle being a consultant in a corporate environment.
"I learned a lot of lessons in the melding of corporation and hackers," Grand said.
Among those lessons: There is a need in corporations to encourage innovation and tinkering.
"In the corporate environment you feel like you have to bill for every minute," Grand said. "But a lot of the fun and morale boosting comes from things you don't have to do, but the things you want to do."
The other key lesson is to not isolate the research group from the broader corporation. With @stake his group would do hacker work, but it never left their Ivory Tower and the executives didn't understand what they were working on.
"We were totally excluding the rest of the company and hiding our work whenever anyone else came in," Grand said. "It was a functional silo where it's one group working for themselves and not connecting with the outside world."
Grand suggested that if security people are setting up some kind of research organization, it's important to make it inclusive to others in the company. It is important share information both within the corporation and the external community. "Information is not the dangerous part, it's how you use it," Grand said.
The need to share information is also crucial for security researchers so that people will understand what they're doing.
"Like the academics say, "publish or perish." If you don't talk about your work, you don't exist," Grand said.
Not everything needs to be shared, however, but there is always some piece of information that others can benefit from. That process of sharing information also creates a positive impact and makes security better for everyone.
"Sharing information is what hackers want to do; to share, teach and learn," Grand said.