Exploring the Love-Hate Relationship with Offensive Security Work

half years ago I decided it's time to do something else and not think about security for a while and I was

surprisingly successful at not thinking about security in the last 15 months so now I'm giving this talk here at a

conference for security having not thought about the topic much in recent months my solution to coming up with

something to say then is take the things I would normally ramble about over beers with people individually and condense

them into a talk it's a bit of the the scalable version of having a beer with each of you individually right so this

is going to be a rambling talk and a quite personal talk and as you saw the title the title is why I love offensive

work and why I don't love offensive work and I think an important part or important thing for me to mention about

my personality is somebody I worked with once asked hey how far is it not really strenuous to have a love/hate

relationship with everything and while this isn't precisely true of everything there's a few things that I actually

quite liked and a few things that actually quite unambiguously dislike it is true that for most things I have a

complicated or complex relationship with it and security is a complex topic and this keynote is going to be a reasonably

personal recap of my complex relationship with security because it's a personal talk I'm quite sure that

everybody's personal experiences and opinions will defer so I think there's going to be plenty to disagree with we

shall see we shall see so let me begin with all the reasons or not all the reasons but at least ten reasons why I

love offensive work and there's many good reasons some of which are technical reasons some of which I canonic reasons

and some of which are emotional regional reasons and I'll begin with the technical reasons and on the technical

side offensive work is awesome because it is so full-stack meaning like if anybody talks about full-stack

engineering security really is false like engineering because the security flat floors always hide at the borders

between abstraction layers and that means that as a security person you get to look at all these different

abstraction layer and in some sense the cynical person would say that the only person in

computing that is paid to actually understand the system from top to bottom is the attacker everybody else is

usually paid to understand their part so the beauty one of the beautiful things about offensive work is you get to play

at every abstraction layer and you get to look at every abstraction layer and you get paid to actually understand the

different destruction layers and there's so many of them and it's fascinating we're going from the physics of the

hardware the the vagaries of the manufacturing process all the way through the operating system through

libraries through the implementation through the high-level logic through things like Unicode homework live

attacks and so forth which are really on the the very top abstraction layer another good technical reason is it's so

broad when it comes to the techniques you employ meaning you've got all these interesting questions of program

analysis stuff like data flow analysis abstract interpretation all of these very academic things when you do

exploitation you get to play with data structures and algorithms at a level that most people never play with them if

you corrupt a pointer in a tree and then have to still insert and remove things from the tree

that's super fascinating you do a lot of really interesting engineering when it comes to dynamic instrumentation of

software that's really awesome systems engineering like building a big fuzz farm there's actually a lot of clever

systems engineering that goes into it you can argue that one of the strengths of AFL wasn't the ideas behind it but

the actual engineering of the implementation you have to deal with systems internals you get to look at

cryptography that's essentially everything that's cool and computers put into a bowl and you get to play with it

that's awesome another thing that's great as spelunking in the ancient ruins of the Elders software like we build

software like we build our cities which means we built on the trash and the ruins of the previous generations and

they're still below where we're living right so a lot of software analysis is digging into these old cathedrals

they've been built 20 years ago and trying to figure out what they're doing it you sometimes feel like indiana jones

going into an old code base trying to figure out what's going on so there's a lot to love on the technical side and

another thing i really really like is the creativity of vulnerability developments in my my

training stars I usually tell people that every individual little buggy you find it's like a random piece out of the

IKEA warehouse and your job is to assemble all these random pieces until you can build a chair out of them and

the vulnerability X development process is very much like this you take all these really weird oddly shaped bugs and

you try to somehow assemble them between something nice sturdy and useful and and that's something I really like the

creative part is not to be underestimated then there's another good technical reason which is offensive work

really is on the boundary of what we understand scientifically and the sense that we're only like slowly getting to

grips with what it even even means of a theoretical level to have a next point and it's only in recent years that we've

got a reasonable understanding of what memory corruptions really are on the computer science level and we still

don't have a good model for stuff like timing attack side channel attacks and so forth and that's kind of exciting

because there's real new computer science being explored and we're kind of part of it and that's that's exciting

that's cool cool stuff there's work that will possibly survive the next 3040 years another big technical thing that I

love is it's inherently practical meaning work on offensive technology is by and large not theoretical I studied

cryptography in university where you get to congratulate yourself if you can lower the theoretical complexity of an

attack from 2 to the power of 128 to 2 to the power of 110 nobody can ever check your work because there's no

computer to ever try the two to the power of 110 so nobody knows whether it's actually true and the beauty of

offensive work is it's very very clearly useful in some sense and it's very very satisfying to see technology work and if

you're mean you can say that the offensive side of security is a bit of an outlier within the greater security

industry because the offensive side consistently delivers products that actually do what they advertise then

there's economic reasons why offensive work is great offensive work has almost perfect incentive alignment meaning your

success is almost 100% measurable and it's discrete it's either you get the shell or you don't or

either you get codex like or you don't and technical excellence is strongly correlated with your income because it's

so directly measurable and that it sounds weird but super rare in most fields like one of the lies we tell to

children is that how good you are at what you do actually matters in terms of your income later in most industries

that is not true so offensive work has the the nice property of having nice like good clear alignment of incentives

for technical people the other thing is that most vendors you're attacking kind of care about fighting you but not

really all that much right they really care about having their software in everybody's pocket and they care enough

about fighting you to be a nuisance and to be sure that they feel like they have done something but their business isn't

fighting you their business is getting that software into everybody's pocket which means actually that if you have a

bug in somebody's software and they don't know about it their incentives and your incentives are aligned because you

want their software to be in everybody's pocket too so the the thing is that almost all offensive problems are

technical problems which means it's a great industry to be in if your passion is solving technical problems okay

another economic benefit or a good thing about the economics of offensive is that what you're selling is actually

mission-critical for customers what I say is that the best products are those products that the customer needs in

order to do their job most security products are nice to have like no business is going to grind to a halt

because they didn't update the antivirus at least most of the time and the business can continue without them and

the other thing really is if you sell something that's critical for the client that the client needs to have you don't

need much of a sales team if you do sell something that's nice to have you become a sales driven product and then you need

to have a large sales team and this is why we have conference like RSA because most security products are sales driven

because they're not actually essential and well the thing is that those people that

actually buy offensive stuff for these people it's mission-critical to have these things like they need these

products to do their job which means overall the the offensive side is not terribly sales driven which also plays

into the hands of people that like the technical work another economic reason that's a below bit a little bit amusing

about offensive work is the people that buy offensive products buy these products with other people's money we

have to look at this from like read this diagram from left to right we've got the device vendor and the device vendor

makes a big investment into making devices harder to hack okay now the cost for the offensive vendor to provide

offensive capabilities against this device goes up so the offensive vendor tells the security apparatus hey this

has gotten really expensive because the vendor has made these investments we need more money to do our job the

security apparatus needs more money but it's not their money so they go to the politicians and say hey we need more

money to do our job the politician then goes to the voter and says do you want to feel safe and by and large voters

want to feel safe and then they're okay with being taxed so really the flow of money here is that the offensive vendor

gets to tax the population and the defensive vendor that makes things harder doesn't necessarily actually

affect the offensive vendors bottom line because the overall revenue of the offensive vendor grows by things getting

harder because the sums involved are bigger and if you assume constant margin the offensive vendor actually makes more

profits as it gets harder to hack fix that's a really really bizarre setup and the most bizarre setup is the people

that I should decide about the giving you like giving anybody the money for the offensive tools are so far removed

from the actual prize negotiation that there's no direct relation and that is well in the in the end offensive tools

are bought by people that are not spending their own money now there's a whole bunch of emotional reasons why why

offensive work is interesting a math professor once told told me that the joy in mathematics is

often the receding of the pain which means you work on a really hard problem for a long period of time and then

finally in solve it and it's super gratifying to push through on a hard problem and this discrete nature of no

success no success no it's a sex success that's emotionally and really powerful and there's a certain hi to it and it's

very very intense and addictive to some sense in some sense like I I don't think I will ever forget the moment I got

double sided row hammering to work and I was shaking and had to go for a walk thereafter and there's a few moments in

life where working on a hard problem and suddenly making progress gives you a real push and a real high and I don't

think we should underestimate that a lot of us really like that hi another emotional reason that I I find very

powerful is that exploits are really the closest thing to magic spells we have in the this world you you have a

complicated technological device and you find out the right incantation to yell at the device to take control of the

device that is as close to magic as you will ever get and even after 20 years of being involved with exploits every time

I see a good expert work I'm like this is magic and it is in in some sense and also that's emotionally very very

powerful and the last last positive reason on the emotional side for me has always been the people security

particularly offensive security used to be a backwater and most people you met in that region in the early days were

primarily motivated by the curiosity and some of them by a sense of duty but their overarching ambition wasn't to

make the most money and that led to the offensive community being a very very interesting community of misfits often

with very very unique mutant powers in the sense that different people in offense have very very different

specialties and very different special abilities as well and I've always found that to be a very very reward rewarding

experience because you interact with so many people that are Auto directs that have taught themselves most of what they

know and then have a real passion for learning and as somebody who likes being around people that like learning that's

always been been very very very important for me all right now after talking about all the

things that are love about security I'll make a few few detours three of them in total and the first one is talking about

the question of how do you interact as a scientist with the world especially when your signs interacts with warfare and

why do I talk about this well to some extent I perceive myself as a scientist and engineer of sorts and as a teenager

I read governments the physicists and I watched a play called Copenhagen in my late teens and both of these plays

explore the interplay between signs warfare and the greater societal implications if you haven't read either

I recommend reading both or watching a play for both they're absolutely hilarious fascinating and worth looking

at and my personal background is that my family is like both my parents went through the Second World War and there's

a strong pacifist perspective in that family but my extended family has a lot of people that actually like serve in

the military somewhere and so my direct family is very pacifistic and I had to deal a lot with the question of why am i

making my living from essentially the intelligence and military budgets essentially from from age 19 onwards so

I always thought about how how does my work relate to these things and as somebody of almost age 40 clearly I was

14 when The Prodigy released their album we're at the beginning of the sample I need to take my work back on the ground

to stop it falling into the wrong hands as an impressionable teenager you hear that sample and you can't ever get it

out of your head entirely so I read about these things and I thought about these things and I

stumbled across a few weird examples there's a fascinating book called Hardee's or called a mathematicians

apology by a mathematician called Hardy published in 1940 where he explores how the sciences have been subjugated to

producing ever more vicious war fighting looking at the experience of World War one and so forth

and he then concludes that luckily theoretical mathematicians and theoretical physicists are safe because

no one has yet discovered any warlike purpose to be served by the theory of numbers or relativity and it seems very

unlikely that anyone will do so for many years now we're speaking like he wrote this five years before Hiroshima and it

was about 25 years thirty years before RSA was invented but the point is that what he deemed to be the most pure the

most untouchable and useless of Sciences ended up being very very critical very soon thereafter a second example is in

the early two-thousands I dated a social anthropologist and she always made vicious fun of the fact that all of

computer science and mathematics is thoroughly militarized and financed by by the state to essentially suppress

people and she wasn't wrong in some sense but then the weird thing happens that in 2007 during the Iraq war

Secretary of Defense gates starts the Human Terrain system where the DoD hired a whole bunch of social anthropologists

to unravel the tribal structure in Iraq to better wage war right so the the the conclusion you can draw for my major

offer from this is it's really really difficult for the scientist involved in the moment to predict what the effects

of the work that he does will be like it's essentially impossible for me to say what I do will not have military

applications or what I do will have military applications the reality is that the military's will use whatever is

useful in war and the only way to prevent your work from ever being used for military purposes is make sure it's

irrelevant or wrong or both so in warfare both sides will take whatever is useful and try to use it now while this

may be true that does not absolve the individual from making like informed choices about what he works on and why

he works on it meaning you have very limited ability to see what is going to happen to your work that doesn't mean

you don't have a responsibility to look okay next detour signs and conflicts is it

immoral to improve weaponry we generally lead discussions from a perspective of saying better weapons are always bad and

for me an important input to this discussion was in 2016 I visited Japan and both Hiroshima and Tanegashima now I

will not talk about Hiroshi MA the only thing I can say that is if anybody has a chance of visiting

Hiroshima and the the museum there do it now Tanegashima Tanegashima is an island in the south of japan and why is

Tanegashima important it is the place where guns came to Japan for the first time Japan didn't have guns and then at

some point during a vicious civil war that had lasted for more than 70 years already where entire generations of

young men had died a team of four a small boat with a few Portuguese people with guns landed or stranded on

Tanegashima and they sell their gun to the local warlord and the local warlord gives that gun to his blacksmith to make

copies of the gun so Japan is essentially at about 80 years into a vicious Civil War the first gun arrives

and then it takes a while for the gun to actually be adopted the Japanese had had trouble with some of the the

blacksmithing at the beginning and then it gets fully adopted around 1575 and then the war is over reasonably quickly

thereafter because one side had an advantage to just kill the others and win so in essence what we have here is

we have a hundred ten years of war ended relatively quickly by the arrival or within forty years ended by the arrival

of superior weaponry and that's a really strange strange thing to to contemplate on the right hand side is a picture I

took in the museum there the Japanese after they had the first gun did a whole bunch of very very weird experimentation

with what is actually a good gun as you see this is a handgun with a caliber like this and you have to fire it

kneeling down and then roll backwards to deal with a recoil so the the question that I cannot answer is whether Sapir

web is actually always bad because what is bad is prolonged warfare where nobody

can get an upper hand for generations and it may be that superior weaponry ends wars more quickly and it's also

like you could if you wanted argue that nuclear weapons have maintained peace because they're so terrible we don't

know I don't have an answer and I think about Tanegashima and I have no good conclusion to draw from it outside of

this is puzzling there's also counter examples when the same thing happened in New Zealand and

the first guns arrived the experience was very very different the Maori waged really really bad war on each other very

quickly thereafter with mass casualties without ever having one side gained the upper hand so we have two examples where

the same thing happened and with very different outcomes it's also interesting to contemplate that Japan ended up

entirely disarming itself again thereafter after they had acquired peace they gradually rejected guns and even

Fogg forgot how to make them up until 1800 it's super fascinating there's a great book called giving up the gun that

tries to trace what the heck happened in Japan that they decided to reject guns as a thing and then even forget how to

make him and you know I don't know what the lesson is except that saying that weapons are always bad isn't quite the

right right level of this course okay third detour the fragility of democracies now during my travels in

2015 I visited a whole bunch of countries and at some point I realized and my wife me would realize every place

almost every place we had visited had living memory of death squads and many of these places are not place that you

immediately associate with living memory of death squads but let's start with from France during the Algerian war the

French Secret Service disappeared people in Algeria and pioneered a technique later taken up by the Argentinians

called death flights where you just make sure that people disappear by you taking them on a flight of the sea and dumping

them there no corpse ever shows up people are just gone Morocco had more than 740 disappearances under king

hassan ii assassinated people in paris Uruguay arrested 20% of its population at one point under the dictatorship

Argentina had 30,000 people disappear South Africa had very very well-documented torture and

assassination infrastructure during the late days of apartheid which targeted their own civil society like lawyers

that we're arguing against arbitrary detention got killed Portugal under sir Salazar it

disappeared people Spain had a more northern 100,000 dead under Franco's white terror 100k disappeared in the

following years Taiwan had people disappear it just that almost every country has death squads within living

memory there's still people alive that were alive when that happened and it's something we need to remember

democracies and basic rights are super fragile and then not the norm and every democracy is about to terrorists rights

and one opportunist away from a dictatorship the other thing is empirically state-sponsored death squads

happen and they happen with regularity and all of us have grown up in a particularly surprisingly peaceful point

in history in a peaceful area of the world and that tends to bias our judgment of what's happening meaning

we've only experienced peace and we've only experienced rights and it's very very important to keep in mind that that

is not everybody's experience and also historically an anomaly and we don't know whether it'll last all right so

let's talk about the issues I have where I don't particularly love offensive work I talked a lot about the reasons why I

love offensive work now there's some societal reasons why I don't love offensive offensive work there's some

emotional reasons and there's some technical reasons the societal reasons the very first one in perhaps the most

important one for me is the question for whom and about 20 years ago I first met Robert Morris senior and I admire the

person I admire the person when he was alive and it was a fantastically entertaining person to chat with and at

some point he asked me what I do and I had just started that University studying mathematics so I told him I

study math and his answer was foo and I found that very confusing to be like for me I go to university for whom

and this question for whom is one that it's actually surprisingly important for all of security because we have to

realize that all of security is fundamentally about human conflict doing security you're always on somebody's

side and this holds true for both offensive and defensive work and the reality is that if you're on somebody's

side and get paid you're usually on the side of the powerful because of the powerful you can have the money to pay

people so one of the things that I find difficult with all of security is you always pick a side and I'm sometimes

running out of sides that I want to pick the second Society reason why I offensive work can be can be

disappointing is there's essentially three big career paths on the offensive side and they all have different

downsides option one is the government agency where you get to directly work on the problems and the operations and so

forth and the positive is this impactful work you have some insight and what's happening with your work and so forth

there's a lot of cons to this though the pay is relatively low there are a lot of quite onerous restrictions on your

travel on your interaction with foreigners your ability to work from home and so forth

there's career advancement mostly at the expense of actually doing technical work where you have to to become a managerial

person in order to to advance and increasingly you may end up not doing the technical work but just manage

contractors that then provide you with services so that's one option not everybody's option you can go to a

defensive vendor where the salaries are much better but then the trouble there are the economic incentives where

usually for most offensive players their profits are maximized when they sell to the scummiest people because the

scummiest people have difficulty getting these capabilities otherwise so they are willing to pay the most money for it

another con working for an offensive vendor is you not work in an organization where top management has an

incentive to lie to you if you look at hacking team hacking team told their own people oh yeah we comply with all these

laws and we comply with Wassenaar what this meant is they had a friend in the Italian ministry that would okay and

export to Sudan and there wasn't our right so point is you may work in an organization where your own management

will not tell you the truth or will actively mislead you about what's happening there's also the

con that the international legal protections are unclear in the long run at least I couldn't talk here

particularly because she did work that she thought was okay and then politics changed and they were long-term legal

repercussions for her so that's the legal protection if you are doing this work maybe okay now you don't know what

the situation is in ten years and you may not know which countries will take offense with your past work on the

defensive vendor side there's good salaries or let's get salary but a lot flexibility if you do the are piece

there's fewer ethical miss incentives which is both good but the downside then is you're not business critical normally

and you're always a cost center which means if business turns sour you will be on the the list of things to cut and

then there's the emotional side that not everybody loves which is you get to do bone research and then kill your

creations not everybody deals with that similarly well but all all three of these options have the individual

downsides and neither of them is perfect another reason is that there's a somewhat limited societal value add and

the sense that to some extent the internet Giants have turned themselves into spy agencies I mean the explicit

reason the Chinese government mentioned for attacking Google back in 2009 was Google is turning itself into the

biggest spy agency and you can cooperate or compromise other spy agencies Google doesn't cooperate so the vendors have

turned themselves in to spy agencies they've convinced the population to pay for their own surveillance gear which is

also awesome and now the spy agencies want a piece of the pie so if you ask yourself the

question how does offensive work actually improve the world outside of my own life the answer may not be terribly

good like the potential for having a positive impact on a million people is limited I have a diagram here on how

this works we've got the vendors that spend billions to convince people that surveillance like carrying surveillance

devices is a great idea you have the population that is convinced that this is a good idea buys the surveillance

divide the device and provides the data to the members and then you've got the security

apparatus on the right-hand side that either pulls the data out of the vendors via legal means or post the data right

out of the the devices my offensive means you get to pick whether you work for the vendor or the security apparatus

you don't get to pick to work for the population which is not great another emotional reason why my offensive work

is difficult is everything is so complicated meaning the the joy of finding bugs and

exporting them is very pure it gives me a very very direct pure intellectual reward every decision thereafter you can

write a bookshelf of moral philosophy PhD thesis on the implications or 20 gigabytes of Twitter ranting

I personally don't enjoy these complications I like the first part but everything thereafter I could really

live without another emotional reason why I find offensive work difficult is there's the saying that it's very

difficult to make somebody understand something if their salary depends are not understanding it which is a short

form of saying that if you're economically dependent on something it by its nature skews your perfect your

perspective of that something like you cannot reason very soberly about something that pays your bills and at

some point I wondered to what extent being part of security makes like distorts my own view and was curious to

how my view would change if I wasn't economically dependent on security anymore

right there's an emotional part which is negative which means security is often offensive security is less accumulative

than most other engineering we stopped really working on Binda for almost 10 years ago it's still useful now it's

very rare for for offensive tools to have the same lifespan and if you look back on long offensive career it can

look like oh I found this open edge remote and it's gone I found this RDP remote and it's gone I developed this

technique for exporting 2006 KX my work that's gone so even by technology standards which is reasonably fast

moving offensive technology is particularly ephemeral ephemeral ephemeral difficult word okay

another technical reason why security isn't offensive security isn't great is if you maximize the profitability it's

actually really repetitive because every new target has a very significant ramped up cost your first chrome exploit is

much more expensive to build than the next ten and the customers build and how are tool chains around a particular

technique so that they need swap ability of parts so when one bug dies they need a precise replacement for that bud which

kind of limits the the exploration exploitation side to exploitation meaning you don't get to explore as much

because you need to produce to maximize profit the same thing over and over again so in some sense you maximize your

profits when you also maximize your intellectual stagnation by doing the same thing over and over again the point

eight is offensive work often makes you transition to an expert on obsolete technologies because obsolete

technologies is where the bugs are and you can argue that there's more people that have a deep understanding of two of

TrueType font rendering in offensive security than they ever wear in typography by now that particular area

has been read and it's provided 15 years of remote access it may provide another 10 years or so but eventually fund

rendering will be sandbox sufficiently that that's not the drawer you get into anymore at which point you are the

world's expert on a technology that's not no longer relevant anyway the the nature of offensive work is that you

target mass-market tech which is always a couple of years behind emerging tech right number nine missing a big

technology transformation computing at the moment is changing in a way it hasn't changed in 30 years the the data

center size computing is emerging we have protocol prototypical OSS nobody's got a clue how to properly architect

them no real debugging exists the end of more restructures the way we build computers and we think about computing

all that is super exciting but a lot of the offensive work is hey can you do another Chrome please or can we have

another Safari and app reverse please but kind of feels like it's not the most exciting area so I'll get like I see a

lot of glum faces I'm at the last of the 10 negative reason I gave 10 positive ones I give 10 negative ones

the last negative part is what I call the obituary test now my wife calls me

captain sunshine because I actually enjoy reading obituaries it's probably my favorite form of literature and I

believe in trying to live your life by reversing reverse engineering your life from the obituary you would like to have

so sit down and think what you're a bit sure we should read and then try to live your life in order to get the obituary

you want and I looked at my my imaginary nari and I was like there's there needs to be more than than just doing

security and I looked around and one of my idols gave out of the shot oh the man they're talking everything everything

important about heaps has a very successful post security career building imaging satellites and many other of my

idols had multiple careers so at some point I wondered am i a one-trick pony of sorts and I felt the need to try to

do something else for a while I mean I can always return to security if all else fails but at the moment staring at

my virtual obituary I was like okay this needs needs a change so decision on my side was I'm gonna do something else for

a while and what I'm gonna do now is performance optimization because it turns out you

have a lot of a technical upsides of offensive work meaning it is full stack and if you do well you like if you're

technically competent you can actually produce really good results for the client a lot of super interesting

technical problems there and a lot of room for creative solutions there's a few emotional advantages of all of that

it's really really nice to not have an ambiguous feeling about the implications of my work just yet it's also really

nice to not have to answer the question for whom so much and given that security of an offensive security often has the

has negative externalities for somebody it's really nice to work on something that has positive externality in the

sense that if I do well my client serves money I earn money and we're saving some co2 because we saved energy consumption

that was wasteful in the first place another great advantage to no longer doing security is it gives you super

aura tea and Twitter debates because whenever you argue with somebody that's still in

security you can have the smug superiority of saying well your opinion is invalid because you still earn your

money with security so I very much appreciate that that advantage it's a bit unclear whether economically all of

this will pan out it's not clear for me how I can start taxing society if I figure it out I'll be a happy man

so summary of my talk offensive work is absolutely great and offensive work is absolutely terrible and I think we

should all be extremely aware of the fragility of democracies and personal rights and the fact that in all

likelihood any country you work in will have death squads in a hundred year period at least from what we know so far

and the ethical questions are real and complicated and have no easy answers and everybody has to answer them

individually two more messages security is really a very very tiny shard of a very very much bigger world and

offensive work is a tiny fragment of a much bigger interesting computational world and as much as offensive work is

fascinating and awesome there's a lot of stuff outside that's also quite cool anyhow balancing your love for something

with you're not law for something is often difficult especially for me I have no good answers enjoy the calm