Written by Gábor Pék
Charlie Miller, (also on Twitter) is well-known in the security community for his exceptional hacking results. He won the Pwn2Own contest at CanSecWest 4 times by exploiting various Apple products (e.g., Safari, iOS) . Then he surprised the world by performing a remote hack on a Jeep Cherokee. He is now with us to shed light on how he approaches complex systems and finds their weaknesses.
Here is his story.
Gabor Pek (avatao): You have a Ph.D. in Mathematics and you are now one of the best known security researchers in the world. Why did you change your field of interest and why IT security?
Charlie Miller: I received my PhD in Math but from there if I wanted to stay in math, I had to continue doing research in the field I had written my phd in. I didn’t want to continue that research. In academia, at least for a long time, you can’t easily switch research topics. Besides academia, there aren’t many jobs out there for a phd mathematician, so I ended up going to work for the NSA which was hiring cryptographers.
GP: How did you start learning IT security? Where did you get help from at the beginning when you got stuck in a problem?
CM: Even though I was hired to be a mathematician at the NSA, they had a variety of training programs. I started training in computer security and working jobs there that emphasized this skill. I basically learned on the job, which is a great way to do it if you can.
GP: You won the Pwn2Own contest at CanSecWest 4 times and were nominated for the Pwnie Award 3 times. These are huge results. What is your approach to control a previously unknown software?
GP: Most of the products today fail to meet the security best practices to keep up with the business demands. How do you think this controversy could be solved?
CM: I don’t think there is an easy solution. Companies want to sell products and be first to market. Security is expensive and, for the most part, invisible to the consumer. This makes it hard for companies to justify large expenditures in security.
GP: You are also well-known for your research in car security. What do you think the most pressing issues are in car security today? How do you envision car security in a few years from now?
CM: There are a few issues that make car security different from most computer security. For one, the effects of issues are much more critical. However, the biggest issue is that cars take years to go from design to production. That means any security lessons we learn now won’t be present in cars for 4-5 years. This is one of the reasons why it is important to start working on car security now, before we have real world issues, because otherwise it will be too late.
GP: What do you recommend how the next generation should start learning IT security?
CM: The best way is to jump in and do something. Audit a piece of software, tear apart an exploit and see how it works, write an exploit for a simple program, write security tools, etc. Security is best learned by doing.
GP: And finally. What are your favorite tools?
CM: Well, in general I like Ida Pro and 010 editor. In the car security world, I like ecomcat and Vehicle Spy.
Reading Time: 9 minutes Security champions play a vital role in establishing and maintaining a security culture in an engineering organization. See how to turn your developers into security champions!
Reading Time: 6 minutes As the company grows the leadership wants to establish a security program to ensure the solid and undisrupted operation of the business. Security at this point is essential, especially when calculating the loss from a halted business, even for a few hours.
Reading Time: 9 minutes OWASP Top 10 Vulnerabilities in 2021 based on the non-official proposal of Phillippe De Ryck. Here is what we know.
Reading Time: 7 minutes Security champions represent an essential part of any security programs. They lead their teams on security projects, ensure internal security and help keeping security on the top of your mind. But how exactly they operate in a business? We asked Alexander Antukh, Director of Security at Glovo for professional insights.
Reading Time: 6 minutes For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.