Last updated at Wed, 03 Jan 2024 20:06:45 GMT
On this week’s episode of Security Nation, we had the pleasure of speaking with Rob Graham, the founder of Errata Security Consultancy, well-known security blogger, and soon-to-be book author. Our podcast highlights guests who have taken on a challenge that has advanced security in some way, and Rob’s work in developing BlackICE and now writing a security textbook are perfect examples of this.
Here is our recap of the podcast:
Behind the scenes of BlackICE
Twenty years ago, Rob created BlackICE, an intrusion prevention system (IPS) that detects and blocks intrusions. Eventually, it was purchased by IBM. If you were in cybersecurity 20 years ago, you likely used it on your desktop, but upon its acquisition, it went where most apps that IBM acquires go: the IBM graveyard.
Rob explained that the name BlackICE came from William Gibson’s “Neuromancer” book. “ICE” stands for Intrusion Countermeasure Electronics, and because that was pretty much what he was building, the name seemed fitting. However, Rob felt guilty about using a name created by another author, and one day William Gibson tweeted about how people lift product names from his book all the time, but most aren’t successful. Someone replied that BlackICE was actually wildly successful, so Rob chimed in that all these years he had been feeling guilty about taking the name. Gibson wrote back to him “If you just buy me a new MacBook, we’ll call it good”… and so Rob did just that.
During our interview, Rob talked about technical breakthroughs achieved with BlackICE, such as user mode network drivers. At the time, everyone thought you needed to put everything in the kernel for performance, he did the opposite by putting everything in user space, including the hardware drivers. That’s how they achieved such good performance. Nowadays, this practice the standard for nearly all packet sniffers.
He also changed the way in which you can parse network traffic efficiency. Though this is a common practice today, back then, it was very difficult for people to know how to parse traffic. Simply put, BlackICE set the tone for many common practices you see in cybersecurity tools today that were quite foreign and revolutionary back then.
When others are doing it wrong, write a book
Much of our interview centered around Rob’s upcoming book on securing network code. In Rob’s words, “Because everyone’s doing it wrong, I want to show how it can be done right.” He says he’s covering everything from how to secure IoT devices to security hygiene. When most people talk about hygiene, it’s more like waving your hands over a problem. Zatko, for example, is trying to show that all IoT devices don’t have ASLR enabled. ASLR is designed to help you when you have a security issue that’s exploitable so that you can practice better hygiene. While that certainly could help things, it’s hand-waving over the real problem: Where do these security problems actually begin? Rob explains that you really need to be looking at how to refactor the code to get rid of the vulnerabilities in the first place.
Exim, a popular email server that runs over half the publicly accessible email servers, is a prime example of how no amount of ASLR hygiene can fix the fundamental problems they have. Exim essentially passes all their strings through a generic scripting system, which can have replaceable variables like usernames. There’s a full scripting language where you can call function calls and DLLs and it passes everything through, like host name from the SNI field and an SSL certificate through the system. This means you can actually supply a full script as the host name that you’re connecting to. So, rather than defining what the input should be, such as just a host name, they instead say, “We’ll accept anything in this field though the cell connection and won’t apply any sanity check whatsoever before it passes through the rest of the system.”
This is much of what Rob’s upcoming book is about—how do we identify problems like this and refactor them to reduce or eliminate them from coming back in the future.
A lesson for all
Rob has big intentions for his book, which we were quite excited to hear about during the podcast. The first is for it to be used across universities. Most professors don’t have a good textbook that teaches students how to secure code, or if they do, they tend to be hygiene-focused rather than root-case-focused. His second goal is to leverage the book as a reference point for companies that want to fix these fundamental problems.
Rob also hopes the book will open up the public policy discussion. There are a lot of discussions within policy circles right now around secure by design and how to incentivize the right behaviors, so having better information on what that looks like can be helpful for both policymakers and educators. He’s also written quite a bit of code that’s now on Github that demonstrates how you can make issues like Exim’s right.
Advice to future security authors
We wrapped up our interview by asking Rob what advice he has for others looking to write a book. His first piece of advice: Be prepared for quite a bit of work. His original plan was to take some blog posts he’d written and publish them together in a book, but as he got into it, he realized that it’s much more than that.
Another lesson Rob shared is to be okay with disagreement. When he finds something he disagrees with (like the whole fiction of the OSI model) a book can be a good place to right a wrong (recognizing, of course, that there will be people who will disagree with you). Rob says disagreements can be healthy, when done right, and he advises people see them as an opportunity to learn and grow. If you’ve ever read Rob’s work, you know he tends to take a stance on a topic, but he is also very open to listening to different viewpoints and having an actual discussion about it. With that, he wrapped up by saying, “I can’t imagine anything worse than being in a room where everyone agrees with you.”