Reading Time: 4 minutes
Interview with Charlie Miller, security researcher

Gábor Pék (CTO, Avatao)

charlie miller

Charlie Miller, (also on Twitter) is well-known in the security community for his exceptional hacking results. He won the Pwn2Own contest at CanSecWest 4 times by exploiting various Apple products (e.g., Safari, iOS) . Then he surprised the world by performing a remote hack on a Jeep Cherokee. He is now with us to shed light on how he approaches complex systems and finds their weaknesses.

Here is his story.

Gabor Pek (Avatao): You have a Ph.D. in Mathematics and you are now one of the best-known security researchers in the world. Why did you change your field of interest and why IT security?

Charlie Miller: I received my Ph.D. in Math but from there if I wanted to stay in math, I had to continue doing research in the field I had written my Ph.D. in. I didn’t want to continue that research. In academia, at least for a long time, you can’t easily switch research topics. Besides academia, there aren’t many jobs out there for a Ph.D. mathematician, so I ended up going to work for the NSA which was hiring cryptographers.

    GP: How did you start learning IT security? Where did you get help from at the beginning when you got stuck in a problem?

    CM: Even though I was hired to be a mathematician at the NSA, they had a variety of training programs. I started training in computer security and working jobs there that emphasized this skill. I basically learned on the job, which is a great way to do it if you can.

      GP: You won the Pwn2Own contest at CanSecWest 4 times and were nominated for the Pwnie Award 3 times. These are huge results. What is your approach to control previously unknown software?

      CM: The most important part is deciding what to do. Whether that means picking the piece of software (say Safari) or which part of that software to attack (say a particular part of the Javascript engine), focusing on the right parts helps you become efficient at finding vulnerabilities.

        GP: Most of the products today fail to meet the security best practices to keep up with the business demands. How do you think this controversy could be solved?

        CM: I don’t think there is an easy solution. Companies want to sell products and be first to market. Security is expensive and, for the most part, invisible to the consumer. This makes it hard for companies to justify large expenditures in security.

          GP: You are also well-known for your research in car security. What do you think the most pressing issues are in car security today? How do you envision car security in a few years from now?

          CM: There are a few issues that make car security different from most computer security. For one, the effects of issues are much more critical. However, the biggest issue is that cars take years to go from design to production. That means any security lessons we learn now won’t be present in cars for 4-5 years. This is one of the reasons why it is important to start working on car security now before we have real-world issues because otherwise, it will be too late.

            GP: What do you recommend about how the next generation should start learning IT security?

            CM: The best way is to jump in and do something. Audit a piece of software, tear apart an exploit and see how it works, write an exploit for a simple program, write security tools, etc. Security is best learned by doing.

              GP: And finally. What are your favorite tools?

              CM: Well, in general, I like Ida Pro and 010 editor. In the car security world, I like ecomcat and Vehicle Spy.

              Related Articles

              Where the money is: Financial cybersecurity

              Where the money is: Financial cybersecurity

              Reading Time: 7 minutes Money management moves towards complete automation, and the evolution of cybercrime follows along. The money heist has changed, we all know that. Cyberspace takes more and more of that cake, but the reason behind attacks remains the same: money, in any form.

              Security Champions: Interview with Alexander Antukh, CISO of Glovo

              Security Champions: Interview with Alexander Antukh, CISO of Glovo

              Reading Time: 7 minutes Security champions represent an essential part of any security programs. They lead their teams on security projects, ensure internal security and help keeping security on the top of your mind. But how exactly they operate in a business? We asked Alexander Antukh, Director of Security at Glovo for professional insights.

              Python best practices and common issues

              Python best practices and common issues

              Reading Time: 9 minutes Python is a high-level, flexible programming language that offers some great features. To be as effective as possible, it is important to possess the knowledge to make the most out of coding with Python.

              Why do you need a security champions program?

              Why do you need a security champions program?

              Reading Time: 6 minutes As the company grows the leadership wants to establish a security program to ensure the solid and undisrupted operation of the business. Security at this point is essential, especially when calculating the loss from a halted business, even for a few hours.