Charlie Miller, (also on Twitter) is well-known in the security community for his exceptional hacking results. He won the Pwn2Own contest at CanSecWest 4 times by exploiting various Apple products (e.g., Safari, iOS) . Then he surprised the world by performing a remote hack on a Jeep Cherokee. He is now with us to shed light on how he approaches complex systems and finds their weaknesses.
Here is his story.
Charlie Miller: I received my PhD in Math but from there if I wanted to stay in math, I had to continue doing research in the field I had written my phd in. I didn’t want to continue that research. In academia, at least for a long time, you can’t easily switch research topics. Besides academia, there aren’t many jobs out there for a phd mathematician, so I ended up going to work for the NSA which was hiring cryptographers.
CM: Even though I was hired to be a mathematician at the NSA, they had a variety of training programs. I started training in computer security and working jobs there that emphasized this skill. I basically learned on the job, which is a great way to do it if you can.
CM: I don’t think there is an easy solution. Companies want to sell products and be first to market. Security is expensive and, for the most part, invisible to the consumer. This makes it hard for companies to justify large expenditures in security.
CM: There are a few issues that make car security different from most computer security. For one, the effects of issues are much more critical. However, the biggest issue is that cars take years to go from design to production. That means any security lessons we learn now won’t be present in cars for 4-5 years. This is one of the reasons why it is important to start working on car security now, before we have real world issues, because otherwise it will be too late.
CM: The best way is to jump in and do something. Audit a piece of software, tear apart an exploit and see how it works, write an exploit for a simple program, write security tools, etc. Security is best learned by doing.
CM: Well, in general I like Ida Pro and 010 editor. In the car security world, I like ecomcat and Vehicle Spy.