Why do I work in security instead of on something more lasting?
Predictions about what is "lasting" are very difficult to make :-). I think outside of the exploit-of-the-day, there's lasting work to be done in understanding of exploitation (because machines and automata aren't going away, and neither are programming mistakes), and I sincerely hope I'll have opportunity to do that work.I tried my hand in cryptography / academia, and found it more prone to political trends/fads and less blindly results-oriented than security - to my great disappointment. When all attacks are of theoretical complexity 2^96, verifying and replicating results becomes difficult, and objective truth suffers (see below).
In the following, I will state a few things that I really like about the computer security community. I did not realize this immediately - instead, I learnt this over many years and engagement in other communities.
- Original thinkers. I used to joke that there are less than 2 dozen reasons why security as a field doesn't suck, and I know many of them personally. Now, the 2 dozen is bullshit, but what is true that in all the noise & hype, I have met a number of very fun, unconventional, and deeply insightful thinkers of very different backgrounds. They are few and far between, but I wouldn't have met them without security, and I am grateful for having met them. Many exploits require considerable inventiveness, and non-obvious / creative ways of solving problems; they are sometimes like a good joke / magic trick: With an unexpected twist that makes you laugh in disbelief.
- Tolerance of non-conformism and diverse educational backgrounds. There are few other industries where people who did not finish high school mix with people with postgraduate degrees, and debate on even terms. With all it's problems and biases, the part of the community I grew up with did not care about gender, skin color, or parental income - everybody was green writing on a black screen.
- Intellectual honesty. When discussing attacks, there is "objective truth" - you can establish whether an attack works or does not work, and checking reproducibility is easy. This is not true in many other disciplines, and "truth" becomes a matter of social consensus - even in pure math, where proof should be absolute. Having objective truth is extremely helpful to prevent a discipline to devolve into scholasticism.
My skewed view of the security community
For one thing, everybody is always nice to me. I am not sure why this is the case, but the only non-niceties I encountered in this industry were in leaked email spools. This makes it difficult for me to notice people being mean to newcomers and elitist - and it saddens me to hear that people are being shit to each other.
People weren't always nice to me - like any group of teenagers, 1990's IRC was very often not a friendly place, and #cracking would kickban you for asking a question. I found a home of sorts in a channel called #cracking4newbies - a very welcoming environment dedicated to joint learning. It was great for me: I could ask questions, and either got answers or links to documentation. A few members of #cracking were no longer active, and held status in the channel for historical reasons, #cracking4newbies on the other hand was full of eager & active youngsters.
All I want to say with this section is: I do not know how I managed to avoid experiencing the bad sides of the security community much. Some of it was luck, some of it was instinct. There are plenty of things I find annoying about the security community (but that is for another post :-), but in my day-to-day life, I don't experience much of it. If you are in security, and feel that the community is elitist or demeaning to people learning, I hope you succeed in seeking out the (many) people I encountered that were happy to share, explain, and just jointly nerd out on something. Feel free to reach out any time.
On building vs. breaking
My friend Sören happens to be one of the best C++ developers I know. When we first met in undergraduate math class, I described what I do for a living to him (reading code for subtle mistakes), and he said "that sounds like one of the worst imaginable jobs ever". He is a builder, and I have nothing but admiration and respect for him - and from the builder's perspective, his assessment is right.
I still like finding subtle bugs. To paraphrase another person who I respect a lot: "People still search for new stuff in Shakespeare hundreds of years later".
Using security as an excuse for broad learning
Summary
But right now, I am actually enjoying having my hands dirty and thinking about heap layout for the first time in years.