One time while eating lasagna in a fancy restaurant with Susan, I turned to her and said, “if you were going to rob this restaurant, how would you go about it?” Caught off guard, she had no real response. “That’s okay,” I said, “here’s how I would do it.” I then went into great detail as to how my plan would unfold, complete with little X’s and O’s drawn out on napkins. By the time I was done I had everything planned out, down to which employees I was going to have to incapacitate.
“You’re insane,” Susan replied through a mouthful of spaghetti.
For a while, I was convinced that I was. Then I found this article on Wired, titled “Inside the Twisted Mind of the Security Professional.” From the article:
Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities. They can’t vote without trying to figure out how to vote twice. They just can’t help it. […]
This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don’t have to exploit the vulnerabilities you find, but if you don’t see the world that way, you’ll never notice most security problems.
I’ve often speculated about how much of this is innate, and how much is teachable. In general, I think it’s a particular way of looking at the world, and that it’s far easier to teach someone domain expertise — cryptography or software security or safecracking or document forgery — than it is to teach someone a security mindset.
Yes! I’m normal! (Well …)
That is exactly the way I see things. When I see web forms, I wonder if they’ll accept an apostrophe. When I see security tags at the store, I wonder how difficult (or easy) they are to remove. I’m the guy who, when bored at the mall, tries to figure out a way to remove the ATM machine. I’m the guy who drives around the neighborhood trying his car alarm remote and garage door opener at the end of your driveway. I’m the guy who shakes his head when you leave your car running outside the convenient store “just for a second”. I’m the guy who cringes when I hear you reading your credit card number over a cell phone or, God forbid, a cordless phone.
I’m not a criminal. In fact, the world is safer because of people like me — like us. People like us came up with encryption, and tougher password requirements, and digital scrambling. We’re the reason cars are harder to hot wire and your social security number is no longer your driver license number. By noticing how unsafe things are, we make things safer.
So anyway, back to that restaurant. First you’ll need …
Same here. Between a natural inquisitiveness and Marine Corps security training I can’t help but look for the chinks in any figurative suit of armor.
I got more nerd in me than the criminal element. Sure, I’ve done the occasional casing of the joint but, more often then not, I speculate on how much better the place can be managed. I think that’s the result of all these 8d, team building and customer support classes I’ve taken over the years then anything else. Thus, when service is slow or some other problem results while I’m ordering or waiting for my food.
And I’m not the only one that does that by a long shot. Earlier this week I was in the cafeteria salad bar. The line was long and a couple people behind me were discussing how the salad bar could be more efficient if they simply rearranged a couple items on the table. I figured they were engineers. Considering where I work, that’s a safe guess.
Oops. This sentence: Thus, when service is slow or some other problem results while I’m ordering or waiting for my food.
Shoud read:
Thus, when service is slow or some other problem results while I’m ordering or waiting for my food, I speculate on how they could make it better.
I do the same thing. I always wonder what would I do if? And I always look for a second way out (and where is the bathroom… Have to have priorities).
I go to a restaurant and start thinking about quality of food issues, cleanliness issues, how many tables can they turn in a 6 hour shift, what is the turn-over rate of staff, how much the wait staff reports as income off of the tips, how long do people wait to be seated and how many drinks do they order while waiting, what is the liquor-to-food ratio, man I have been working for the state for too long and going to B-School for too long, I should really be soaking up the atmosphere and enjoying the fact that I don’t have to clean up after myself and do the dishes..…..
So…..how would you rob this bank? ;D