Command Line Heroes - All Together Now
Episode Date: May 31, 2022Our show is all about heroes making great strides in technology. But in InfoSec, not every hero expects to ride off into the sunset. In our series finale, we tackle vulnerability scans, how sharing in...formation can be a powerful tool against cyber crime, and why it’s more important than ever for cybersecurity to have more people, more eyes, and more voices, in the fight.Wietse Venema gives us the story of SATAN, and how it didn’t destroy the world as expected. Maitreyi Sistla tells us how representation helps coders build things that work for everyone. And Mary Chaney shines a light on how hiring for a new generation can prepare us for a bold and brighter future.If you want to read up on some of our research on the InfoSec community, you can check out all our bonus material over at redhat.com/commandlineheroes. Follow along with the episode transcript. Â
Transcript
Discussion (0)
It's the final scene of an epic horror movie.
After grueling days of evading this monster, sacrificing herself,
and saving everyone she could, our hero has finally won. She collapses, exhausted but relieved.
She did it. It's over. But it's not really the end, is it? In the final, final scene, the camera turns toward the monster's lifeless face.
There's a terrifying moment of expectation.
And then, the monster's eyes snap open.
Evil does not stay dead. The End go, the more heroes have to level up and expand their team. I'm Saranya Tbarik, and this is Command Line Heroes, an original podcast from Red Hat. This season, we've been going face-to-face
with some of the biggest monsters in tech. The viruses, Trojan horses, botnets, and ransomware
that tried to destroy our digital lives.
And we've learned that the more we move online,
the larger the stakes get in these security battles.
Everybody is being pulled into the fight.
We're all part of the action,
working to build a safer future.
So in this episode, for our season finale, we're looking at what that call to arms really means.
How do we bring more voices, more people into security work?
And why does it matter whether people with different backgrounds join that larger team? In other words, how does paying attention to every voice,
even in outsiders, actually make things better for everyone?
Satan was about awareness.
Vitsa Venema is a software engineer at Google.
But back in the early 1990s,
he was working on a new free tool called SATAN.
That stands for Security Administrator Tool for Analyzing Networks.
Nobody asked for SATAN.
It wasn't a company project or a government initiative.
It was just a project driven by Venema and his friend Dan Farmer, who was then the security czar at Silicon Graphics.
They had studied the new world of networked computers,
and they felt they could build a tool that network needed.
Just imagine that you have a bunch of computers
that until recently were just standalone.
They were not connected with each other.
And suddenly computers are networked together.
Having access to one computer now means that you have access to a million computers. That's a lot
of computers. That's a lot more than one. Those first networked computers were mostly at
universities and large companies. And every institution might have a system administrator
who handled a few security issues. But protecting computers was often an afterthought.
As we learned in our last episode,
the first networked computers were full of security holes.
The defenses of those computers were relatively weak.
Hackers could use simple brute force attacks to guess passwords and break in.
Users were naive and sometimes administrators weren't much better.
What's worse, when one security team discovered a security flaw, they weren't sharing what they learned.
Around that time, there was no disclosure of vulnerabilities, no process for doing that.
In the early days of the internet, you might do battle with a software bug or some new virus.
But then you didn't pass on your solution or even report your problem.
Everybody on the planet was tackling each security problem as though it were brand new.
So how do you change that system?
How do you get people sharing information about all the known security issues they've come across?
Enter Satan.
People just didn't know that they had these problems on the network.
So the purpose was to make an inventory of all the computers on your network
and then probe with, I think, a dozen different
vulnerability checks and report for all the computers all the problems that they had.
A program that scans computers on a network for known security vulnerabilities and lets you know
where they are. It even had a web interface, which was pretty slick at the time. There, system administrators could automate the process, easily scanning their system for security flaws.
It also told you what kind of machines were being used and how they were connected.
Sounds useful, right?
That sounded scary to some people.
That idea met some resistance. For some of those universities and
companies that were being scanned, this sounded like a shortcut for the bad guys who wanted to
hack them. A program that points out security holes? Wouldn't that just make hacking easier?
It was a serious worry. And I mean, it probably didn't help that the program was called
Satan. People suggested like, you should not do this because it will be the end of the internet.
We decided to proceed anyway. We thought the internet will be destroyed if we don't do
something about it. Venema and Farmer believed that a secure network
had to be a network where awareness of known security threats had precedent.
In other words, sunlight is the best disinfectant.
Think of that solo hero from our opening.
Why fight alone, these guys were saying.
Why not bring the whole team of superheroes
together? Some were still pushing back though. Even if Satan was a good idea, why make it available
to everybody? Some people said, give it only to the good guys. Hand Satan over to system
administrators, they said. Or maybe make it really expensive so only large companies can scan for vulnerabilities.
Don't just throw this superpower out there
for anyone to use.
Veynema made one small concession.
He released Satan to system administrators a little early.
That way, they could run it themselves,
their clients could run it, and they could
patch up their security holes
before Satan was available to potential
criminals.
And then, April 5th
1995,
Satan was released.
It was given away for free
on 20 different sites on the
internet. The next day
there was a headline in the San Francisco Chronicle
that said hell did not break loose with Satan.
The world did not come to an end.
Turns out, the bad guys already knew about all the vulnerabilities.
It was the good guys who didn't know about them.
Venema started getting emails from grateful people around the world.
Satan had found security problems they had no idea about.
Satan was making the internet a little more safe.
What we did was we made a publicly available tool with a nice user interface
and helped a lot of people to help themselves.
Satan was a bit like a stranger
who walks around trying everyone's front doors
and letting people know when they find one that isn't locked.
The idea that security could come from outside your house,
from someone not associated with your business,
your university, your personal team,
well, it was revolutionary.
In 1995, you could get fired for running Satan.
In 1997, you could be fired for not running Satan.
So it was basically due diligence.
You're supposed to scan your networks proactively
so that if you find your holes before, the bad guy finds it.
After Satan, system administrators realized they had to branch out.
For starters, they had to look at their machines from the intruder's point of view.
But they also had to listen to each other,
share insights, communicate about new discoveries.
Only then would the internet begin to be safe.
As for Venema and Farmer,
they were at first considered outlaws for what they'd done.
But today, Satan-style programs are standard.
They've been vindicated.
And security teams are learning every day
that you want to know what other people know.
Nobody should fight the monster alone.
Sharing bug reports isn't enough, of course. A truly leveled-up security team has to be
open to whole new perspectives. That means your team of heroes better not all come from
the same place.
Representation matters.
The cybersecurity industry suffers from a diversity problem generally.
This has been something that folks have known for years.
Maitrehi Sisla is the deputy director of the Aspen Institute's Tech Policy Hub, and her group recently published a report on the state of diversity in cybersecurity.
Black cyber professionals are only about 10% of all cybersecurity workers, and Hispanic
workers are only about 4% of workers.
Women make up less than a quarter.
The numbers aren't good, and CISLA says the monocultures that result, that lack of inclusion on InfoSec teams, looks to her like missed opportunities.
Diversity is a huge issue in cybersecurity, and I would say in most fields, because if you don't have a diverse workforce, you're not going to be building good products and you're not going to be creating policy that's effective for all people.
Research shows that companies with more women and people of color are more innovative. Why would
security teams want to limit the kinds of experience and outlooks that they utilize?
We had a fellow who was really interested in working on cybersecurity with elderly communities
because thousands of older Americans
are scammed every year online, but they don't submit this information to law enforcement
agencies. And our fellow Ginny Fawes was really curious to understand why that was. And she held
a series of design thinking workshops with older Americans. When she did that, she found that a lot
of the existing avenues for reporting these scams didn't design for older adults in mind.
Like their text was too small for many of these individuals to read.
These forms would time out before folks were able to input all of their answers.
They weren't necessarily colorblind or disability friendly.
And all of these design decisions that were made, likely by people who weren't older,
affected these older Americans' ability
to report cybercrime incidents to law enforcement agencies.
I mean, that's just one example, right? There are a hundred ways that a new perspective
could improve the work that security teams are trying to do.
One of the recurring insights this season has been that security is really everybody's job,
and that includes all the people who maybe aren't your typical tech employee.
If you don't have folks in the room who represent a diversity of perspectives,
you're not going to build things that work for all people.
Building teams that include underrepresented backgrounds can help us design for everyone.
It can even help us foresee different kinds of criminal behavior.
One of the greatest assets that I think the United States and Canada also have is that we're diverse countries
and we have folks who come from around the world who can really understand the cultural context of everywhere, which is incredible and can really help build better policy and help foresee perhaps
what foreign adversaries might be doing. You might have heard, given enough eyes,
all bugs are shallow. Named after Linus Torvalds, it's called Linus's Law. I think you could say
something similar about security issues. Given enough eyes, all security flaws are shallow.
So if diverse security teams are stronger, then what's keeping a diverse group of candidates from joining those teams?
Inherent biases from those who hire play a part.
And there are pipeline issues too.
STEM degree graduates are disproportionately white and male. And for
individuals who do have STEM degrees, they often don't get the helping hand, the mentorship that
turns a worker into a leader. I was always the highest ranking minority female in any organization
that I've worked for, still am. Mary Cheney is the chairwoman, CEO, and president
of a group called Minorities in Cybersecurity,
MIC for short.
A couple years back, in 2019,
she was one of those rare mentors
for women and people of color.
She was helping out a few dozen people
and noticed they were all hampered in their careers
by cultural roadblocks.
That's why she founded Minorities in Cybersecurity,
to help lift up those diverse candidates who kept getting overlooked.
Making real change, getting more kinds of people at the table,
is never going to happen, she says, unless we change the way we recruit.
I don't think it's a talent
shortage. We don't have enough people interested. But guess what? We have a whole lot of people
out there that could be if we now, you know, start to market it right. That means updating
the image of an ideal candidate. Does your job description actually fit the job you're trying
to fill? Or is it describing an old idea about what an IT worker's resume should look like?
The security landscape is constantly evolving.
So to hire an effective team, we may need our hiring practices to evolve too.
For example, we could be thinking about what skills a company can give an employee
rather than what skills employees should come with.
I tell organizations, you can't go to market and buy what you want all the time.
You actually have to invest some time into building the type of talent that you're looking for.
Building diverse teams isn't a simple decision.
It's a project that demands real work. In Cheney's case, she's lifting up tomorrow's leaders in a very direct way.
MCLEAD is a new program focused on leadership development. promoted into management level roles, then you get more by default, hopefully you get more diverse
teams because a diverse hiring manager is more likely to hire other diverse people
than it is, you know, the traditional way. It's the first few cracks in that ceiling
that are the most difficult, But cultural shifts have a way of
snowballing. I've had several of the folks in the Mike community get opportunities and accept jobs
with our corporate members. I'm excited about the opportunity to provide not only a safe community,
but a place that someone can go to get the soft skills training.
I hate to say soft skills, but that's really what it is. A lot of times with women and minorities,
we go so hard and fast with certifications and education. Oh, I need this or I need that. And
that's going to open up doors for me, not understanding yourself and the type of leader you are, how to identify certain
situations, how to deal with conflict resolution. Those are the things that will take you further
than your certification, especially if you want to be a people leader.
Maithrehi Sisla notes there's good news for mentors like Chaney.
Cyber security is a booming field.
There's something like half a million open cyber security jobs in the U.S. right now and almost three million worldwide. There are
the jobs there. This is not an issue of like there aren't jobs. That means there's a fantastic
opportunity right now for security teams to hire up a new diverse generation of employees.
And that would have the knock-on effect
of making all our lives safer.
Change is happening.
The trick is turning these ideas
into real concrete improvements
to hiring practices and leadership training.
If we can get that done,
the result is a broader collective experience,
a leveling up of our abilities,
a bigger team of heroes. And that makes the world safer, more secure for everybody.
It takes every kind of command line hero fighting as a team to combat the security crises of our time. And I think
celebrating a range of voices, diverse voices, is a fitting way to say bye for now. After 67 episodes
running over nine seasons, Command Line Heroes is taking a break. It's been such an honor over these last five years to tell the stories of
the community we love. And we got some amazing love in return, millions of downloads, and even
a few nods at award ceremonies. But most of all, we've been grateful for you, the Command Line
Heroes community that came along for this incredible ride.
But listen, there are more stories to tell.
Do stay subscribed.
Because while this may be our last
in this series of seasons,
I want you to know the folks over at Red Hat
have a lot more to share.
Stay tuned.
For now though,
you can check out the podcast Compiler, where tech experts help
to demystify tricky topics. And please stay in touch with me. You can follow me on Twitter
at Saran Yitbarek, and hear from me in conversation with other programmers on my podcast Code Newbie.
Meanwhile, you can explore the Command Line Heroes archive wherever you get your podcasts.
Like I mentioned, we've done 67 episodes.
You may have missed one.
And what did all those episodes, including somewhere around 300 interviews, amount to?
I think if there's one single takeaway from this show, it's this.
The future is brighter when we work together.
From our roots in the world of open source to our commitment to diversity and education,
we believe the future of tech belongs to everybody. More than that, it's going to be built
by everybody too. I'm Saranya Barik, and this is it for Command Line Heroes. For now.
An original podcast from Red Hat.
Before we go, I wanted to share what have been some highlights these past nine seasons.
A favorite part of hosting this show for me has been the editorial meetings.
Before each season, our team sits in a room and dreams about all the possibilities.
Our ideas reach far and wide.
Our pitches cross countries and industries.
Our stories are deep and personal.
But what I love most about these meetings isn't just the energy in the room.
It's not just the excitement over a shiny new season. It's the fact that the season could truly
be about almost anything, because technology and command line heroes are everywhere.
I love that we've been able to talk about programming languages, prosthetics, the invention of GPS,
gaming, floppy disks, even robots for senior citizens. Tech is such a ubiquitous part of our
world that there's so much to explore and unpack. A few episodes that stand out for me are
Creating JavaScript. The key to Brendan Eich is that Brendan Eich, when he built JavaScript, had become sort of a language junkie.
Season 3, Episode 3.
As far as stories go, I'm a sucker for the classics.
And the story of JavaScript being created in 10 days is one that just never gets old.
Another is open source hardware, Makers Unite. The group was really almost like a group of misfits from the media lab where it was like...
Season 4, Episode 6.
Hardware isn't my world, but I'm curious about it.
And this one is all about the maker movement, led by some pretty badass women.
Makers are just another type of command line hero after all, with a different
set of tools. I also loved our robot as body episode featuring Tilly Lockie. My favorite part
about the hands is how they look and how actually like personable and customizable they are.
Season eight, episode five. We talked about her personal experience with robotic limbs, and I got a peek into the future of this industry and the incredible tech that's life and to you. It's been such a pleasure
to share it all. Until we meet again, keep on coding.
Hi, I'm Jeff Ligon. I'm the Director of Engineering for Edge and Automotive at Red Hat.
The number one hesitation that I think folks have about Edge
is that they assume they're not ready for it.
They think that it'll mean starting over from scratch
or that every time their business needs to change,
they'll be re-engineering solutions and re-evaluating vendors.
And look, Edge is complex, and it does mean a different approach,
particularly for devices at the far edge.
But with Red Hat, it doesn't mean starting over with new platforms.
We've taken the same enterprise solutions that simplify and accelerate work across the hybrid cloud and optimized them for use at the edge.
So you can manage your edge environments just like you do the others.
Come find out how at redhat.com slash edge.