Security

The best security essay of 2007 (isn't about security)


Security professionals everywhere, myself included, might want to think long and hard about why the best security essay of 2007 wasn't even about security.

It is a late entry to the running for 2007, published on a personal weblog on the 14th of December. The author, Ben Orenstein, is a software developer, and the essay is titled On the fundamentals of programming.

While the content of the essay never references security, even obliquely, all the principles touched on relate very well to security matters. As both a security professional and a programmer, myself, I believe I have a leg to stand on when I say this is probably the best essay of 2007 not only about security, but about its intended subject -- programming -- as well.

As Ben Orenstein put it:

To become a better programmer, one should practice like a musician.

The key is, as he observes, that one learns best and most completely by doing -- not merely by reading and listening, and buying the most expensive toys. That applies to all fields of endeavor, including IT security. This message holds particular interest for me, not only because I'm both an IT security pundit these days (writing for this weblog) and a programmer, but a relatively recent musician. I finally graduated from a long-time loaner Samick bass to a brand new Ibanez Soundgear bass of my own.

It is only in retrospect that I realize I have learned about IT security primarily by doing in gradually increasing difficulty of the task. The framework doesn't really exist for a proper iterative progression of tasks in IT security as it does for music, or even for programming if you look hard enough for it. In music, repetition of simple patterns (as I'm finding out first-hand, for the second time in my life) is enough to teach fundamental principles to the beginner. All it really takes is a basic ability to recognize patterns and a lot of practice, which generally takes the form of practicing scales or chords.

Some good examples of similar practice patterns for programming show up in Ben Orenstein's essay, and in the comments that follow it.

Where do you find the same thing for IT security -- or security even more in general than that? One can take a very unstructured approach, of course, in the form of simple personal privacy management, malware defense, firewall configuration, and all the other basics of personal security. Such practice, however, tends to take the form of learning how to use the currently available tools to provide the currently best understood security practices. It takes a better capacity for recognizing patterns, and a lot more practice, to sort out the principles that form the foundation of your practice, and such an approach tends to leave significant holes in one's understanding of the basic principles of security.

How long could someone configure mandatory access controls and email encryption tools before one might arrive at the same conclusion as Auguste Kerckhoffs and Claude Shannon -- that security through obscurity is not security at all? It could take years. In fact, you may never learn that lesson, as proven by a significant percentage of the people doing professional security work in the world today.

If I knew of a better way to learn by doing in the field of security, I'd share it with you, though. I'm just not sure how one would go about getting a clearer view of the underlying principles of security through practice than starting with the small tasks of security and working your way up in such an ad-hoc fashion. Formal instruction in security, the sort of thing you get from security certification courses and instructional seminars, hands you concepts on a plate. It doesn't really give you the kind of deep understanding of concepts you get from practice.

Where do we go from here? What are the scales and chords of IT security? If you can figure it out, let me know.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

13 comments
mat4twins
mat4twins

???Security can be defined as an all-encompassing condition in which individual citizen lives in freedom, peace and safety, participate fully in the process of governance, enjoy the protection of fundamental rights, have access to resources and the basic necessities of life; and inhibit an environment which is not detrimental to their health and well-being.??? The people who is secured must first understand and embrace the concept before any other agency who is paid or volunteered to give full attention to security issues can make significant impact.... Mathew Nwokwu, National Open University of Nigeria, Dept. of criminology and security studies, +234 703 903 4002

NatureBuff
NatureBuff

I really feel Murray is on to something. It involves one of the last lines of Chad's of "kind of deep understanding" to show how the emotion brings about the best rsults. Just playing back book learning won't do anything more then closing a door and not turning the lock. I love both of the insights. Thank you for sharing.

murraygrainger1
murraygrainger1

Comparing music and IT security is certainly a novel twist - but there are basic and fundamental differences between the two: Practice (say, repetition) will bring familiarity (insight) to both, provided that the practitioner has the critical insight to seek and analyze "patterns". But In the case of IT security, continuous repetition produces purely mechanical results. But "real" music doesn't stop with mechanical proficiency. It is inseparately bound to emotion and feeling. This is the essence of music and it holds true of every type - jazz, swing rock n' roll, bebop, hip- hop, symphony and opera. I have played them all - as a (jazz) pianist and top tier, first chair symphony woodwind player. Without feeling and emotion, "practice" with or without finding and repeating "patterns" at best produces manual dexterity, and at worst it produces noise. So put your time to much better use because there are no scales or chords per se to produce music nor will practice or use as daily needed provide IT security. Thanks for the opportunity to share with you some of the observations stemming from a lifetime as a professional musician and a stillborn Geek. M. Grainger

pr.arun
pr.arun

Great comparisons in the article Chad and also thanks for bringing that excellent post on Programming to our attention. It is indeed true that many complex activities such as driving and even typing are passed to the "automatic" state when practiced well. Its the same way for programming.

murraygrainger1
murraygrainger1

How come an advanced technician such as you must be is incapable of distinguishing between an honest statement of opinion and your resorting to distortion, mistatement and name calling ---just because that opinion doesn't coincide with your own? Seems you must be defensive letting your insecurity show like that. What a shame. On a lighter note (no pun intended) your phrase "...on a high horse" reminded me that my great grandfather said (among other sage observations) "Sometimes one has to get on a high horse ---In order to escape the droppings. Good luck. Murray Grainger

apotheon
apotheon

"[i]But "real" music doesn't stop with mechanical proficiency. It is inseparately bound to emotion and feeling. This is the essence of music and it holds true of every type - jazz, swing rock n' roll, bebop, hip- hop, symphony and opera.[/i]" What these things have in common with IT security that repetition can help you with is that they require ingenuity. Want to be able to play bass well in a blues jam? Practice chords -- a [b]lot[/b]. Want to be learn about how the MS Windows Registry is organized so that you'll know how to find things in it that you've never seen before as though it were instinct? Clean up malware on MS Windows systems -- a [b]lot[/b]. I know this one from personal experience, by the way, and there's a lot more to it than "mechanical proficiency", even if the only emotion involved is usually frustration. As I tried to point out in the article, the key isn't just learning which checkboxes and buttons you need to perform common tasks with common security software tools -- it's to learn the principles of security that define what you're doing, and improve on the state of the art of IT security. In any case, I was talking about the early practice routines, not how to become a virtuoso maestro grand high vizier. Once you get past the stage where you need to practice chords every day just to start to learn some basic principles, you'll have got the hang of learning by doing very efficiently in the field of IT security and will be able to strike off in new directions without needing any practice assignments. "[i]there are no scales or chords per se to produce music[/i]" Funny -- I've been practicing scales an awful lot, and I've started producing music, in part as a result of that. "[i]nor will practice or use as daily needed provide IT security.[/i]" You seem to think that I'm saying scales and chords [b]are[/b] music, and that the equivalent in IT security [b]is[/b] security. I'm not. I'm talking about methods for [b]learning[/b] each of music and security -- learning principles from patterns, then being able to use those learned principles to develop new patterns, new melodies or policies, new rhythms or routines, and new arrangements or layered security architectures. Obviously, practicing installing firewalls all the time won't just magically translate into an impregnable laptop, just as practicing scales won't just magically translate into a cool blues jam. On the other hand, installing and tweaking firewalls will teach you something about good network traffic gateway and logging policies, just as practicing scales will teach you something about what notes sound good together in a melody and how to keep time while playing without having to think about it so you can groove with your musician friends. "[i]Thanks for the opportunity to share with you some of the observations stemming from a lifetime as a professional musician and a stillborn Geek.[/i]" I guess I should have expected this. Every time someone writes an essay that compares two distinct fields, someone in the field toward which the essay wasn't targeted pops up and takes offense at the notion that field A could ever be up to the artistic standards of field B. It happened when Paul Graham (a hacker and a painter) wrote [i]Hackers and Painters[/i]. It happens fairly often when people see the phrase "code is poetry" at the bottom of an install of WordPress. It happened when Sterling Camden talked about "blogging" as jazz. It happens every time someone has the gall to suggest that there's artistry in clean, elegant code. Someone with a liberal arts degree shows up on the virtual doorstep of geeks who have devoted their lives to achieving ever greater perfection of aesthetic form and clarity in their work and craps all over the party, simply because they can't stand to have anyone encroach on the rarefied airs of "their" exclusive fields of endeavor. Frankly, I find it silly -- especially since in this case I never said that IT security was music. I just pointed out some similarities in how people learn underlying principles of activities that require actual skill and knowledge, and thus make themselves better at those tasks. I think you're so far up on that high horse that you can't even see what I'm doing down here -- so you just assume that I must be trying to kill the horse, when all I've done is observe that it has its number of legs in common with a well-trained guard dog. edit: formatting

hlhowell
hlhowell

Regardless the form of your vocation or avocation, practice does improve your results, even if those results are poor. Musicians that only follow sheet music do not improve. But those that memorize scores, and work to improve their techniques do so. Ditto for programmers. I also tell new programmers to read code, lots of it. Particularily code by programmers whose work they admire. Musicians improve by listening to other, better musicians, and other poorer musicians to understand the difference in the emotional tones that produce the desired effects and also how to avoid those tonalities that impact them adversely. So I tell programmers to look at the code of ineffective programmers to see how it errored. Become critical of code in general, and the inherent lessons will carry over to the code one writes. There is emotion, coupling, courage, and skill involved in programming. It is not a static art, but a dynamic one, with multiple instruments (generations of language, types of languages, and target methodologies.) To be good one must master the mechanics. To become excellent, one must master the skills of examining the means to improve, and to become great, one must do great things, in music, in code or in any other chosen field. Regards, Les H

apotheon
apotheon

You responded to the wrong person. Nice with the "droppings" comment. Insults like that will get you everywhere in life, I suppose. Well, it'll get you somewhere, anyway. Probably not somewhere I want to be. I prefer colorful arguments, rather than insults that simply stand in for arguments. Perhaps you could try actually addressing the points brought up some day.

DigitalFrog
DigitalFrog

In both music and IT, there are those that never surpass the scales and chords. A relatively smaller group have the ability to go beyond and see the music that hasn't been written yet. In music, they are the composers. In IT security, it is those who can look at a technology and identify the weaknesses that nobody has noticed yet, and so are not on the checklists and guidebooks. Unlike musicians, there are antagonists in this group - hackers (decomposers?). This puts an added time constraint pressure on the IT security professional as he must not only think of the things not thought of yet, but he must do so before they can be exploited. Edit:word correction

murraygrainger1
murraygrainger1

You got it right and your paraphrase is a well expressed Bull's Eye. I was once a technician too: 35 combat missions, B-24 bomber pilot, South Pacific, Thirteenth Air Force, WW2, of course. Thank you, and best wishes. Murray Grainger First Lieutenant, U.S.A.F.

murraygrainger1
murraygrainger1

You got it right and your paraphrase is a well expressed Bull's Eye. I was once a technician too: 35 combat missions, B-24 bomber pilot, South Pacific, Thirteenth Air Force, WW2, of course. Thank you, and best wishes. Murray Grainger First Lieutenant, U.S.A.F.

apotheon
apotheon

. . . or, at least, that wasn't the point murraygrainger1 presented. The actual point presented goes a little more like this: Musicians are artists who put passion and music into their work. IT security guys are just technicians. As such, there's no use comparing them. The whole comparison is bollocks. Go away, you puny IT security people, and trouble not the hallowed halls of musicians in their lofty pursuits. Something like that, anyway. That's how it looked to me. At the very least, the "don't compare the two, it's a waste of time" part was very explicit.

santeewelding
santeewelding

Thank you for that. You go well beyond the subject at hand.

Editor's Picks