'Security research is a serious business'
By Edwin Yapp October 10, 2012
- The perception that security research is just about partying is wrong; requires tons of time and effort
- Need to work on fundamental, industry changing problems, and think big, not small solutions
SECURITY researchers are often perceived as counter-culture driven individuals who are having a ball of time partying and enjoying life to the max but the truth can’t be far further than that, according to applied information security researcher Haroon Meer.
Speaking at the Hack in the Box (HITB) Security Conference in Kuala Lumpur today (Oct 10), Meer, founder of thinkst, said that information security researchers are not being potrayed accurately.
“The perception is that you’ll see a lot of information security (info sec) rock stars partying out of their minds at a lot of these security conferences, including here at HITB,” Meer (pic) told Digital News Asia on the sidelines of the conference.
“So kids [and would-be info sec researchers] think that this is what’s all about, hackers going out and partying every week.
“What they don’t realize is that these info sec rock stars are possibly spending 364 other days of the year behind a terminal screen on working on problems. So kids try to emulate these guys thinking of the partying life, but they are actually never going to succeed if they’re not going to put in those hours behind the research.”
Thinkst is an applied research organization that is dedicated to working on difficult and niche security problems founded by Meer three years ago.
Meer said serious info sec researchers cannot afford to be mediocre at what they do but must instead be totally committed to the cause.
Citing journalist and author Malcolm Gladwell, Meer said would-be security researchers need to put in tons of work to truly make serious research meaningful. Gladwell postulated the “10,000-Hour Rule”, in which he says that the key to success in any field is, to a large extent, a matter of practising a specific task for a total of approximately 10,000 hours.
“I think a big problem in info sec today is that people don’t commit enough to the work,” he said. "Also, I believe that there are researchers out there who bluff themselves into thinking that are actually working on problems that matter, but in fact they aren’t.”
Asked if laziness was the part of this problem, Meer said it could be a related factor but he believed that this was not the core of the problem.
“Author Seth Godin in his book, The Dip: A Little Book That Teaches You When to Quit, noted that people working on any good research project start off well but after a while, they encounter a ‘dip,’ where things become heavy, boring and not fun anymore. Most people don’t get pass this dip, and Godin says that if one doesn’t pass this dip, one can’t get to the good stuff on the other side of the dip.
“[For me] it’s the same with info sec research as all of us have got to realize that there is something worth it on the other side of that dip before we start reaping the rewards. The problem is that if people don’t get the taste of the ‘cool stuff’ on the other side, they never go there [in the first place]. When they start something, they hit dip, and they pull back and stop.”
Info sec researchers, he added, would need to escape this challenge by forgetting that luck plays a part in it, and realize that serious research requires commitment. “I think it’s the sort of stuff that when you hear about it, you academically know and the head knows, but even though we know, we don’t get around to doing it.”
Working on big problems
Earlier in his keynote address, Meer also said he believes that many info sec researchers today are not focused on big problems that can fundamentally make significant changes to industry problems.
He believes that that are many talented people out there who are knowledgeable about info sec but are only content to work on small problems rather than on big problems, which require years of commitment.
Citing a quote from Richard Hamming, Meer noted that the renowned mathematician had asked a very poignant question, which is applicable to today’s info sec research world.
“What are the great problems in your field and are you working on them? We got some serious problems today in our industry today such as authentication, which is fundamentally broken on the web. The truth to ask ourselves is whether we’re trying to take on big problems or trying to solve the little ones all the time.”
Meer said that while there is nothing wrong with trying to solve small problems, these news items that end up hitting the headlines may be good fodder for discussion at the next conference, but fundamentally they don’t move the research agenda forward.
“I’m starting to wonder if this is the case because the guys doing this are not going to pass the dip. They may do enough to get them to the conference stage but doing the great stuff may require 10 years of being locked in a room.”
Asked what he would do to address this, Meer said, “The first part is to re-aim our attitudes that we want to be committed to making big changes.
“The second is, we need to ask whether that piece of research fundamentally moves the ball forward when there is a next headline. If it doesn’t, maybe we shouldn’t be giving it the shout that it deserves as it ends up being a distraction.
“We should stop giving that stuff attention so that we start getting people to consciously say 'I want to do great stuff and solve real big problems instead of just working on small ones'.”