Last week, I had fun talking about the old-fashioned internet and defensive security with Liz Bell.
This time, I spoke to bug bounty specialist Sophia Sanles-Luksetich. Did you know that Ubuntu was her first OS?
Kim Crawley: Please tell me a bit about yourself and what you do.
Sophia Sanles-Luksetich: I am a rookie information security consultant. I currently perform bug bounty triage for companies which I am not allowed to name, but let’s just say most folks have heard of these companies.
Before I got into information security, I was an IT generalist who dabbled in a bit of programming, Linux and privacy. Ubuntu was actually my first OS. It’s funny to think now that my decision as a 12-year-old could have impacted my career so much ten years later.
KC: I must admit that it’s unusual that Ubuntu was your first OS. But that’s great! I use Kubuntu on my work desktop. Did that make you delve into Debian a bit?
SSL: Oh, cool! I have dabbled with Debian a bit, but not as much as most folks would expect. I think I learned a lot more soft skills using Ubuntu at a young age. Like when I couldn’t download my favorite game as a kid, I spent hours reading error logs, documentation and forums to figure out how to get the game working on my computer. Open Source Software (OSS) is also very modular compared to a lot of closed source software, so learning how software is built on other software was a big help. Now everything is miles down a supply chain that most people can barely scratch the surface of, at least in my opinion.
KC: How do you feel about Microsoft trying to copy some features now, such as Microsoft Store, in Windows 10?
SSL: I don’t care too much. I will be honest, I think copying is how we get the best products and services. It’s a part of our nature, you know. “Stand on the shoulders of giants,” and all that jazz. Of course, the companies doing the copying should acknowledge their inspirations. I am pretty proud of Microsoft’s recent OSS push. They were originally one of the big antagonists of the OSS movement, so seeing them change teams now is kind of a win.
KC: So, you triage bug bounties. Do you believe that bug bounty programs augment penetration testing?
SSL: Yeah, most definitely. I think the biggest benefit is the variety of bugs exposed. We have people in our program who discover issues, from open Google Calendars to cache-based identification attacks. Unfortunately, most pen-tests fall into the box-checking category, so their exposure can be very limited. Another often-overlooked factor is how bug bounties impact the criminal marketplace for IT related attacks. Before, a researcher would have little incentive to turn over their findings. This was made even worse by the hostile legal actions taken against the researcher trying to protect companies.
Now, an attacker can decide if they want to make more money illegally or have the chance to make some money legally and get a lot of publicity for doing so. The exposure thing is big; it gives our researchers tangible examples they can add to their resume so they can transition into full-time information security roles. This means less malicious attacks in the wild for everyone.
That being said, one of the biggest disadvantages to bug bounty is visibility. You can never beat the visibility provided by a white box pen test.
KC: Excellent. How did you get into Ubuntu computing initially?
SSL: We had a family computer that stopped working. Rather than buy a new Windows disk to fix it, I asked around to my friends. Funny enough, one of my friend’s dad worked in information security, and I played board games with him and his son. I asked his son to give me a copy, and he messed it up by downloading it onto the CD rather than doing an image transfer.
Lucky for me, I had a bit more a competent IT friend, Rikki, who ripped me a fresh CD. It’s funny, too; she was a lot more like me then, I thought. We both started in theater and ended up getting into computers just because they are resourceful and we were both people who loved the convenience for record keeping. I think what got me into OSS, to begin with, was the idea that I never had to pay for it. I am a cheapskate. I can think of a good chunk of my IT experience that I learned by trying to get something for free. I learned how to torrent, how to not screw up your computer on harmful sites. Always a fun time!
KC: Your background sounds a lot like mine. Working in cybersecurity so far, which misconceptions do you think laypeople have about our field?
SSL: Honestly, I love that question because I feel like our field is represented in such a narrow context. There are so many different parts to this complex world: forensics, policy, legal, education, risk management, research, product security and the most famous blue team and red team stuff. The hardest thing to do now is piece these fields together; to bridge gaps and deal with problems holistically rather than getting caught up in the nuance.
The stereotypical antisocial hacker is exactly the opposite of what we need now. We need people who can communicate highly technical topics to audiences and express risks in a relatable way. I think this is especially important in this era where the internet has become a life-saving miracle and a new wellspring of social malaise. I think that’s really my goal in information security. Yeah, I have all the fancy tech projects which I love, but I know I will only make a difference when I can teach people to handle the nuance of an information-rich age.
KC: Do you ever get annoyed by how “hackers” are portrayed in fiction?
SSL: Yeah, I want to see more cyber stalkers and phishers than hackers. I think that would also give us a bit more of a realistic take on cybersecurity in this era of information excess.
Even if they really need to portray a “technical” hacker in real life, it’s 90% research, 10% execution. The media doesn’t like the research part, but they could easily represent our work the same way they represent medical work in House or Bones.
I think a lot of shows also fall for the “if it’s more complicated and technical sounding, then it’s more hacker-y.” I have to laugh at that sometimes. I watch a lot of animated shows, and it has been funny to see people really try to make something sound tech-y but fail. A great example, “I had to break through 27 layers of encryption to access this device,” which makes no sense at all but sounds cool to the layperson. Or, “if we increase power in one node, it can reduce the power in the other nodes,” which sounds kind of basic but also seems like a genuine way to impact the availability of a shared power/resource system.
I do think these representations, as silly as they are, can greatly impact our field and how it interacts with the world at large.
KC: I’ve learned a lot from you so far. Is there anything else that you’d like to add before we go?
SSL: I think if I could give one piece of advice to new cybersecurity folks, I would tell them all to volunteer at conferences and talk to the attendees. You will learn a lot just by talking to people in the field. Oh, and of course, don’t discount soft skills and the fundamentals.