For this fifth edition in a series of advice columns for folks interested in learning more about security as a craft or profession, I interviewed Charlie Miller, a software bug-finder extraordinaire and principal research consultant with Accuvant LABS.
Probably best known for his skills at hacking Apple‘s products, Miller spent five years at the National Security Agency as a “global network exploitation analyst.” After leaving the NSA, Miller carved out a niche for himself as an independent security consultant before joining Accuvant in May 2011.
BK: How did your work for the NSA prepare you for a job in the private sector? Did it offer any special skill sets or perspectives that you might otherwise not have gotten in the private sector?
Miller: Basically, it provided on the job training. I got paid a decent salary to learn information security and practice it at a reasonable pace. It’s hard to imagine other jobs that would do that, but if you have a lot of free time, you could simulate such an experience.
BK: The U.S. Government, among others, is starting to dedicate some serious coin to cybersecurity. Should would-be cyber warriors be looking to the government as a way to get their foot in the door of this industry? Or does that option tend to make mainly sense for young people?
Miller: For me, it made sense at the beginning, but there are some drawbacks. The most obvious drawback is government pay isn’t as competitive as the private industry. This isn’t such a big deal when you’re starting out, but I don’t think I could work for the government anymore for this reason. Because of this, many people use government jobs as a launching point to higher paying jobs (like government contracting). For me, I found it very difficult to leave government and enter a (non govt contracting) industry. I had 5 years of experience that showed up as a couple of bullet points on my resume. I couldn’t talk about what I knew, how I knew it, experience I had, etc. I had a lot of trouble getting a good job after leaving NSA.
BK: You’ve been a fairly vocal advocate of the idea that companies should not expect security researchers to report bugs for free. But it seems like there are now a number of companies paying (admittedly sometimes nominal sums) for bugs, and there are several organizations that pay quite well for decent vulnerabilities. And certainly you’ve made a nice chunk of change winning various hacking competitions. Is this a viable way for would-be researchers to make a living? If so, is it a realistic rung to strive for, or is bug-hunting for money a sort of Olympic sport in which only the elite can excel?
Miller: In some parts of the world, it is possible to live off bug hunting with ZDI-level payments. However, given the cost of living in the US, I don’t think it makes sense. Even if you mix in occasional government sales, it would be a tough life living off of bug sales. If I thought it was lucrative, I’d being doing it! For me, it is hard to imagine making more than I do now as a consultant by selling bugs, and the level of risk I’d have to assume would be much higher.
BK: How useful is fuzzing in helping researchers understand and devise new attack techniques? Would you recommend fuzzing as a learning method, or is this an approach that only the learned and advanced researchers are likely to get mileage from?
Miller: Every researcher should at least have fuzzing in their tool chest. It doesn’t take much skill to do it and it is usually the quickest way to get started looking for bugs. I’ve been doing it a long time, and someone just starting would probably already be 80-90% as effective as I am. Of course in the end, you always have to understand the target, whether it is to look for bugs or to figure out crashes, but fuzzing is a quick and easy way to start and at least can limit the amount of the target you need to understand. Some fuzzing tips: Start simple, add protocol knowledge/complexity as needed. Use multiple (types of) fuzzers for every job. Use “template reduction” when dumb fuzzing. Don’t forget to monitor your device for crashes, if you can’t tell when something goes wrong, fuzzing is a waste of time.
BK: What has been the single most valuable learning tool for you in your work?
Miller: I don’t know. I use tools, like IDA Pro, gdb and various fuzzers, valgrind and friends, etc. But I wouldn’t say any of those are learning tools per se, but they are definitely tools of the trade you have to be able to know if you want to understand the flaws found in low level native code. (or equivalents for Windows like WinDbg, etc) You need to be able to use those tools without thinking about them in order to show off your real skills.
BK: What about programming languages? Do you recommend any specific ones?
Miller: Well, I really do a lot of reverse engineering and binary analysis, which is unusual. For me, its important to know C/C++ because it is a language that allows you very low level access to memory and most closely equates to what you see in native code. However, for those starting out, it probably makes more sense to learn some languages more useful for web applications, like PHP or Java or something. The majority of jobs I come across in application security are web applications, so unless you’re a dinosaur like me, you probably want to become a web app expert. Web application security is a lot easier to get started in as well. There are a lot of vulnerable web sites out there and with very few exceptions, we haven’t seen the effort put into making web application exploits (SQLi, XSS, etc) harder like we have with memory corruption exploits.
BK: In your own experience, did you run into any dead-ends, avenues you wouldn’t have spent so much time going down if you had to do it all over again?
Miller: Luckily, I didn’t waste much time on it, but one thing I’ve learned is that for the types of things I am interested in, certifications aren’t that useful for those looking for a job except to demonstrate very basic understanding of the subject. I have two certs — a CISSP and a GCFA. I was required to get the CISSP for a job I had and at the time and, while I did expand my breadth of knowledge (I know how tall fences should be, etc), I don’t think having a CISSP would particularly attract me to a candidate applying to work with me. I got the GCFA because I was interested in forensics, but even though I earned it, I’d never want me working on a forensics job because I only have a hobbyist’s level of understanding of the field.
Otherwise, everything in this field is a dead end. You either never find vulnerabilities you’re looking for or you do and they get patched. Nothing in information security is forever, things change, and you have to be able to roll with that.
BK: Can you talk about the importance of cultivating certain traits as an employee/hacker/researcher in this space? Eg.., Patience, persistence, resourcefulness, lateral thinking. I realize some of these come more natural to some than to others, but there seem to be a set of traits common among many in this industry who do well, and those that I mentioned — in addition to perhaps “curiosity” — tend to go a long way. I’d be interested in your perspectives here.
Miller: Information security, as a field, is pretty hard and demanding. For any field of that kind, you have to be pretty passionate and really love what you’re doing to be effective. Otherwise, you won’t be able to put in the time and effort necessary to be successful, at least not on the long term. It is really hard to measure this quality as an employer, but ask yourself if you’d still be looking for vulnerabilities if you were a millionaire. I still would, although it’d be from a beach somewhere, so I know I’m in the right place.
Speaking of employers, information security is tough to get in because it is hard to evaluate a candidate on their expertise in a few hours. You can’t just look at where a candidate went to school to know if they’re good. This is why it is important as a job seeker to have a “portfolio” which highlights your skills like projects you’ve worked on, vulnerabilities you’ve found, talks you’ve given, etc. This will help separate you from everyone else.
BK: What do you think is the best way to build that portfolio?
Miller: In this field, certificates and diplomas don’t necessarily indicate skill. Only skill indicates skill and its hard to measure skill. I think of it as an artist or architect trying to get a job. It is less important what school an architect goes to than all of their plans and drawings they can show off.
This was the problem I had coming out of NSA. I had nothing to point to that indicated I knew what I was talking about. I think the best way to build up one’s portfolio is a combination of CVE’s (bugs found) and research (measured in talks given). If I see a resume with a bunch of impressive CVE’s and a bunch of talks given at major conferences, it will definitely catch my attention.
If you liked this interview, consider checking out the other interviews in this series: