Wanted: More Penn & Teller’s

Date January 15, 2008

Writing about RSnake’s XSS Worm Contest reminded me of an email conversation we had a while back where the topic of discussion was how to some people “hacks” can look a lot like magic.  Just like performing magic, most hacks (discovered vulnerabilities, findings from penetration testing, security breaches, etc) are based very much off the of skill and knowledge of the “performer”, but once the techniques/methods/secrets are revealed, the actual hack might not be all that impressive, and (possibly) easy to repeat.

Part of that conversation was me saying that I’d write it up as a paper/column somewhere, but unfortunately it dropped off my radar.  So, in some round-about mea culpa, here’s my thoughts on the topic, with props to RSnake for planting the initial seed.

What the security industry needs are more Penn and Teller’s because unlike “magic”, the knowledge of what we do shouldn’t be “secret”, and confined to some “magic circle” group of people (although that feels what some of the communities, that shall remain nameless, have become).  All of our knowledge should be shared, shouted from the roof-tops, analyzed, and digested but all that are interested and have the need.  The reason for this becomes even more apparent when you look at two of P&T’s classic pieces.  Take the time to have a quick watch if you can…

Now that you know the secret of these tricks, do they make them any less “special” for you?  Not for me.  In fact, its makes them better because I not only see the ingenuity of how they are conceived/created, but also the skill that it takes to perform them.  Could I perform them?  Probably not.  Certainly not without a lot of practice, but that doesn’t make them any less interesting, and although we all know that “something” is going on during these tricks, actually seeing what it is brings a new life to the trick.  In addition to this (and which is probably what got them kicked out of the magic castle), showing how the trick is performed removes it from the arsenal of the “lower-level” magicians; it forces them to “up their game” and create more impressive tricks.  Here is where I find the analogy with the XSS worm contest, and why it jogged my memory - show how the basic tricks work and force everyone to up their game because it no longer “works” as it once did.

For a more concrete example, let’s look at one specific web security vulnerability.  Thankfully (for the most part) the days of using the ‘ or 1=1 “trick” in login fields are long gone, or at least in most of the clients I work with.  It’s common knowledge.  The magic has been revealed and newer, more advanced methods have to be sought out.  Like evolution, the state-of-the-art moves forward.

So, this is a call out for more Penn and Teller’s of the security world.  Share the knowledge as far and wide as you can.  Let other testers, developers, consultants, clients, management, etc, etc, etc, know about the “tricks” you’ve found, describe how they work, and make the attackers (who no-doubt already have this information, and use their own knowledge networks much like the magic castle/magic circle) work harder - you’ve seen the slight of hand, and it no longer fools you. Over time we’ll expose how the “John the Magnificent”, script-kiddie-esq, tricks work leaving just the “master magicians”.  It’s debatable how much this will help, but I think moving the bar, education and knowledge is one of the remaining silver bullets.

Category Posted in Musings


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>