One time while eating lasagna in a fancy restaurant with Susan, I turned to her and said, “if you were going to rob this restaurant, how would you go about it?” Caught off guard, she had no real response. “That’s okay,” I said, “here’s how I would do it.” I then went into great detail as to how my plan would unfold, complete with little X’s and O’s drawn out on napkins. By the time I was done I had everything planned out, down to which employees I was going to have to incapacitate.
“You’re insane,” Susan replied through a mouthful of spaghetti.
For a while, I was convinced that I was. Then I found this article on Wired, titled “Inside the Twisted Mind of the Security Professional.” From the article:
Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities. They can’t vote without trying to figure out how to vote twice. They just can’t help it. [...]
This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don’t have to exploit the vulnerabilities you find, but if you don’t see the world that way, you’ll never notice most security problems.
I’ve often speculated about how much of this is innate, and how much is teachable. In general, I think it’s a particular way of looking at the world, and that it’s far easier to teach someone domain expertise — cryptography or software security or safecracking or document forgery — than it is to teach someone a security mindset.
Yes! I’m normal! (Well …)
That is exactly the way I see things. When I see web forms, I wonder if they’ll accept an apostrophe. When I see security tags at the store, I wonder how difficult (or easy) they are to remove. I’m the guy who, when bored at the mall, tries to figure out a way to remove the ATM machine. I’m the guy who drives around the neighborhood trying his car alarm remote and garage door opener at the end of your driveway. I’m the guy who shakes his head when you leave your car running outside the convenient store “just for a second”. I’m the guy who cringes when I hear you reading your credit card number over a cell phone or, God forbid, a cordless phone.
I’m not a criminal. In fact, the world is safer because of people like me — like us. People like us came up with encryption, and tougher password requirements, and digital scrambling. We’re the reason cars are harder to hot wire and your social security number is no longer your driver license number. By noticing how unsafe things are, we make things safer.
So anyway, back to that restaurant. First you’ll need …