Friday, August 14, 2009

how high the moon

This isn't really about security, but it is about technology.

As we all know, Les Paul died yesterday. When I heard the news, I wasn't surprised -- he was pretty old -- but I was definitely sad. Les Paul's guitars and his wife Mary Ford's voice were a huge part of my early childhood. As a child who loved to sing, I was very interested in the multiple vocal tracks; naturally I thought it was several women singing. My parents explained the concept of multi-tracking and I became quite fascinated. It wasn't until recently that I had the ability to do more than double-tracking, but I still experiment with vocalizing and multitracking now and then. Later on, I learned a lot more about Les Paul's work with Gibson and came to worship the Les Paul style of guitar for the incredible instrument it is. I no longer own a Les Paul guitar myself, but at some point I may invest in one again (the one I had was the less expensive Epiphone™ model).

I could go on in depth about how multitracking works, but I wouldn't be able to describe it as well as Les and Mary themselves, as they joked with Alistair Cooke on Omnibus, shown in this clip:

RIP, Les. You're missed.

Thursday, August 13, 2009

what's the point?

I was asked some philosophical questions today in an interview, about what the point is of Information Security, and why I do that instead of something else. The questions were general enough that I don't feel it's unethical to talk about them here, so I'm going to expound on them a bit.

First of all, why am I in Infosec? I sort of "fell into" the profession, unlike a lot of people who have perhaps more technical backgrounds. It's not that I don't have a technical background at all -- I knew how to spell TCP/IP before I got into Infosec -- but most of what I know about networking and systems was learned on the job, not something I knew before I started. There will probably always be gaps in my knowledge because of this, and it can be pretty frustrating to be confronted with those gaps.

But on the other hand, one of the things I love about Infosec is that NOBODY knows everything. There is always more to know. There are people who are looked up to, but the true Information Security professional never feels that it's possible to be an expert. There is no one tried and true way to effect security; there is theory and there is practice and there is hard work. There is guessing, and hunches, and aha! moments. There is the triumph when you have defeated a problem, and there is the sick, sweaty panicky feeling when you know that there is a problem but not exactly what it is or how to fix it.

And that is what I love about Infosec, and why I do it. It's a sea of chaos out of which I can do my best to make some order. It is a never-ending source from which I can drink knowledge. It's the frontier, and I love to explore it, even if I occasionally get eaten by a tiger.

And that's the thing; we are in fact going to be eaten by tigers. Because the only truly effective way to secure a system is to disallow it from BEING a system -- to cut off all access to it -- there can never be any assumption of security. There will be breaches and leaks. However, that knowledge is no reason to stop trying to secure systems and networks. I lock my car doors when I walk away, even though I know that a determined thief can break in. I want to make it hard for him to break in, and once he does, I want to make it very difficult for him to get away with my goods. It's a battle that I may not always win, but if there is a point to doing business at all, there is a reason to try to secure the means of doing that business. And after you have done everything you can think of to secure the systems and network, you never assume you have succeeded; you continue to check, you monitor, you look for the little things, you keep on pushing, because the tigers are hungry.

There are other things I like to do. In fact, I probably spend too much time doing some of them. But over and over, Information Security engages my passion, and seems to me to be something worth doing. And that is why I do it.

Wednesday, August 12, 2009

black what now?

Not all that long ago, I joined a mailing list called WISE, which stands for Women In Science and Engineering. Once I'd joined it, I wondered what had taken me so long. Subsequently, one of the other members -- the same one who had invited me to the list -- talked about her professional blog, and I began wondering again. This time I wondered why I, an Infosec professional for over a decade and a prolific writer, didn't have a professional blog.

The answer to that question is simple but sad: I didn't realize, until fairly recently, that I had something to say. As a woman in Infosec -- there are still so very few of us -- I am something of a dancing bear, and I have been admonished to "shut up" by my male colleagues fairly often. Looking around, I am not seeing other female Infosec professionals with blogs or who contribute to the "official" blogs in the industry.

I'm not interested in bringing feminism to Information Security. Rather, knowing that I am good at what I do, I am interested merely in being heard. I am not so different from my male colleagues. I think that I do, in fact, have something to say.

So why Black Cats and Smoke and Mirrors? Well, first of all, I'm a nerd, and nerds love puns. Many IT professionals don't really understand Infosec, so I'm making fun of that. In addition, though most of us don't exactly brag about it, there's a little "black cat" in every white hat; in order to figure out how to protect systems, we have to know how to break or break into them. While obfuscation isn't the best or only way to protect, smoke and mirrors does play a part in securing systems and assets.

Although currently I'm between positions (and doing research in forensics on my downtime), I'm constantly thinking about and reading about Infosec. I think it's time I took all that thinking and reading and wrote about it, too. I hope that you'll agree that I have something to say.