GUIDE to (mostly)
GUIDE TO (mostly) HARMLESS HACKING
Volume 3, Number 14
How to Get the Best Education in Computer Security
In this Guide:
* Dr. Keith Rhodes on careers in computer security
* How to get a free university education in computer science or computer engineering
* Accreditations: the good, the not so good, and the ugly
* How to spot "colleges" and "universities" that offer nearly worthless degrees
* How to discover the truly great schools
* Why go to graduate school?
* How to make friends with professors -- and why! Even if you aren't a student (yet)...
Some computer security careers are more rewarding than others. This Guide tells you how to prepare yourself so that you, too, can win the kind of career that will keep you happy (and well paid!)
Here's an example of a totally awesome job. Keith Rhodes is the Chief Technologist and Director of the Center for Technology and Engineering of the Government Accountability Office. His job is to evaluate computer security for U.S. Federal agencies and report on them to Congress. He often does this by -- breaking in!
At a workshop held at the Santa Fe Institute (http://www.santafe.edu) in November of 2005, Rhodes told us about a penetration test of a Federal agency that shall remain unnamed.
While in the lobby of this Federal office, Rhodes saw a guard help someone in a wheel chair get through the handicapped entrance, but without checking for a valid ID card. The guards had turned off the alarm that sounds when someone fails to swipe a valid card because the handicapped entrance had caused too many false positives.
Rhodes returned in a wheelchair and the guard helped him through the handicapped entrance. Rhodes wheeled down a hall, then in the midst of a crowd got up and walked off. "No one noticed it was a miracle," he said. Just before he left the building, he folded up the wheelchair and then he carried it through the exit. A guard stopped him, asked whether the wheelchair belonged to the agency, then let him go. Never checked him for a valid ID card.
One of the assets that has helped Rhodes get his fascinating and important job was his Ph.D. in computer engineering. Here's what he has to say about why this sort of a degree is so valuable.
*** Dr. Keith Rhodes on Careers in Computer Security
"Formal education is extremely important. Beyond learning a particular application, you need to know fundamental principles of engineering and design.
"One of the reasons why software is in such a sorry state is that people put up with it. I donï¿½t think that people have learned the fundamental disciplines needed for all levels of testing. You won’t get that in these computer security certifications because you don’t get the full software development cycle taught to you. There also is a benefit in getting higher degrees than just your B.S. (Bachelor of Science). A B.S. is sort of a union card that starts you as an apprentice. After that you move on to your ultimate goal. If you remain in academia all your life, that is not good either.
"When people come to me asking where they should go to school, I say, look at their programs, are good people teaching? Also look for a strong practical side, will you learn engineering, planning, testing? Will you learn the limitations of compilers and operating systems? Will the operating system you use clean up after itself in memory? Watch out for programs where people merely say, gee, I'm writing pretty code!
"And how about buffer overflows? There is no reason anyone should have buffer overflows. Yet they are responsible for the vast majority of security flaws. Why don't you catch that design flaw before someone later exploits it?
"What we need is well designed code. For example, with most of today's applications, everything is coded to be royalty. Then you have these two divinely appointed royalty applications running and they clash and it's war.
"So what you can learn with a good education is how to do it right. You can pay me now by coding it right, or pay me later -- with security flaws.
"Go to the bookstore and check out the computer shelves. They come in two sections: books about crap, and books about how to survive crap. Surviving means workarounds, and they introduce their own problems.
"Example: Release 1.0 comes out and somebody posts, oh, there’s this problem. Next a documented exploit comes out. You patch it but you don’t do a full code review. So you solve that individual problem but there are still millions of ways that software still can break on you. The reason for this is that the software industry in general has the struggle of running a business to respond to customer demand. In their universe, "broken" means they have nothing to sell. By contrast, in our universe of computer security, "broken" means that the software is risky.
"I believe software developers ought to be hiring graduates from the Federal Cyber Service program. It provides scholarships at participating colleges and universities in exchange for maintaining a high enough grade point average and agreement to work for the government for a few years after graduation. (Cyber Service scholarships: http://www.sfs.opm.gov/ ). This program plants the seeds of a focus on security.
"Just think about what we will be facing in the future, let it capture your imagination. We'll have pervasive computing. Somebody digitizes your toaster, somebody unifies it with the net, now how can Underwriter's Lab, which certifies toaster safety, say that toaster is safe? To live in your home, you should not need a master's degree in electrical engineering.
"Do building codes protect us? Yes. But look at that EULA (end user licensing agreement). EULA lets everyone off the hook. As we move into this brave new world, the virtual and the physical become the same. Does everyone then get a pass on product safety? How do we find the boundary between the virtual and physical?"
Back to the Guides to
(mostly) Harmless Hacking --->>