Late last week I had the pleasure of interviewing IOActive Labs CTO – Cesar Cerrudo on how he got into IT security. Today I am fortunate enough to have the pleasure of interviewing Eireann Leverett, a senior researcher for IOActive on this field and how magic played a part.
IOActive: How did you get into security?
Eireann: Actually, I was very slow to get security as an official title for a job, it was only really in the last few years. However, I always knew that's how my mind was bent.
For example, everything I know about software security I learned from card tricks at 14. I know it seems ridiculous, but it's true. Predicting session id's from bad PRNGs is just like shuffle-tracking and card counting. Losing a card in the deck and finding it again is like controlling a pointer. If you understand the difference between a riffle shuffle and an overhand shuffle you understand list manipulation.
Privilege escalation is not unlike using peeks and forces in mentalism to corrupt assumptions about state. Cards led me to light maths and light crypto and zero-knowledge proofs.
From there I studied formally in Artificial Intelligence and Software Engineering in Edinburgh. The latter part took me into 5+ years Quality Assurance and Automated Testing, which I still believe is a very important place to breed security professionalism.
After that I did my Master's at Cambridge and accepted a great offer from IOActive mixing Research and penetration testing. Enough practicality so I'm not irrelevant to real world application, and enough theory & time to look out to the horizon.
IOActive: What do you find most exciting about security?
Eireann: The diversity of subjects. I will never know it all, and I love that it continually evolves. It is exciting to pit yourself against the designs of others, and work against malicious and deceptive people.
There are not many jobs in life where you get to pretend to be a bad guy. Deceptionists are not usually well regarded by society. However, in this industry having the mindset is very much rewarded.
There's a quote from Houdini I once shared with our President and Founder, and we smile about it often. The quote is:
"Magic is the right way to do wrong."
That's what being an IOActive pirate is: the right way to do wrong. We make invisible badness visible, and explain it to those who need to understand business and process instead of worrying about the detail of the technology.
IOActive: What do you like to research, and why?
Eireann: Anything with a physical consequence. I don't want to work in banking protecting other people's money. My blood gets flowing when there are valves to open, current flowing, or bay doors to shut. In this sense, I'm kind of a redneck engineer.
There's a more academic side to me as well though and my research passions. I like incident response and global co-operation. I took something Team Cymru & Dragon Research said to heart:
“Security is more about protecting your neighbours.”
If you don't understand that your company can be compromised by the poor security of your support connections you've missed the point. That's why we have dynamic information sharing and great projects like openIOC, BGPranking, honeynets, and organisations like FIRST. It doesn't do you any good to secure only yourself. We must share to win, as a global society.
IOActive: What advice would you give to someone who would like to become a pentester/researcher?
Eireann: Curiosity and autodidacticism is the only way.
The root to hacking is understanding. To hack is to understand something better than it understands itself, and then nudge it to alter outputs. You won't understand anything you listen to other people tell you about. So go do things, either on your own, or in formal education. Ultimately it doesn't matter as long as you learn and understand, and can articulate what you learned to others.