Funny, as real-life "cybersecurity" work is not very visual (grepping through log files doesn't look very sexy). I'm half tempted to put together a ridiculous, Ghost In The Shell-like demo with 3D graphics just for the laughs, though.
I was talking to a non-technical friend about this last night!
The gist being that grepping your nmap output may not be visual eye candy to us, but it can still invoke a sense of mystery and magic in others since they don’t have a firm idea of what’s happening. But they feel something important is about to happen as a result.
The "open" challenge is quite restrictive as it only applies to the following countries: "Argentina, Australia, Brazil, Canada, China, Colombia, France, Germany, India, Japan, Mexico, Netherlands, Peru, South Africa, Spain, United Kingdom United States of America"
- A country or its institutions may be sanctioned by the sponsor's country. Increasing the difficulty of processing financial rewards.
- Increasing the number of languages covered by the sponsor via Terms & Conditions [1] and Q&A support [2] increases the cost of launching the challenge.
- Some countries have stricter and/or ambiguous digital and financial laws, increasing the risk and cost of compliance to the sponsors.
The coolest cybersecurity job that ever existed was the cartoonist for
JVN iPedia. There were dozens of security alerts with these cartoons,
although I think only from 2007 until 2010 - for example:
Predictably the very first picture is a guy in a hoodie. In all the stories they clearly struggle for images. They picture instead the targets or in some cases resort to people holding laptops or phones or this garbage: https://www.bbc.co.uk/news/uk-england-essex-48351510
Having spent some time down this route, the big question is, who consumes these visuals, and what kind of decisions do they make, and how? I'm already heavily invested in this, and it's still possible I've just got it completely wrong and it sucks, but here's some insight on viz in the security field.
For the last year I have been presenting a set of visual models that allow product managers (and people who hold solution risk but don't code) to collaborate on threat modelling with their dev teams, because collaboration is the only viable way to solve security, and it's the one thing we haven't tried because the entire DNA of our field originates in a revolt against solving problems merely by managing to get along with others.
Product and higher love it, but the resistance I have encountered has been from security technologists whose work it simplifies because it does not enable them to express their virtuosity.
The analogy I would use is it's has been a bit like showing a pianist a sequencer/synthesizer or a percussionist a turntable. Excellent tools for composition and making things other people want, but ones that debase the artists investment in talent and physical skill. It does not help them actualize.
Security people become extra suspicious of data viz because they sense they are the ones being persuaded to trust the person who came up with it, and their mission in life is to dig beneath representations. Viz can have the opposite of its intended effect by reducing team alignment as the result of the most technical people defecting in response.
What I have learned about colleagues in the security field is that they want tools to help them become things, not reports to relate with and broker things. Security people tend to want to be powerful outsiders, hackers, researchers & scientists, sheepdogs, magicians, etc. They generally do not want to be the insiders, deal makers, enthusiasts, collaborators, persuaders, deciders, or other people who operate on the level of abstraction where they consume and present visualizations and other representations. If we did, learning about crypto primitives and to reason in BAN logic is the least smart way to achieve that. Similarly, nobody masters the oboe to be cool and popular like a DJ, and while they appreciate the difference it makes in a song, most people are indifferent to whether it is synthesized.
So long as a tool lets a project manager move a risk item from Red to Amber to get them through a project gate, they wouldn't care if we in security used an interpretive dance troupe. The threat modelling tools today are basically toys for technologists where decision makers see them and say, "great, you've shown us how smart you are, what will it take to get you onside?" The irony is that this is success from a security perspective, because it gets them a seat at the table.
So why say this at all? Because the revolutionary change that will solve security will not come from data, or individuals demonstrating how brilliant they are. It will be a function of collaboration, facilitated by clear representations of shared understanding, and alignment of all parties on incentives and risks.
That last part is the Hard problem, because it's fundamentally political, and the one as technologists we are least equipped to resolve. This data viz challenge is a fun idea, but it would be helpful to know just who they think will be the consumer of these visualizations, and what they would do if one were perfect.
I've been at this a while and I think you touch on a few great points here (and generally agree with all of it) Security pros as counter culture cats has been a thing from the beginning. It still exists of course, but I do believe it's getting better and even as a generally conservative old white incumbent male in the field I give most of the props to efforts to improve diversity and inclusivity in the ranks. With this I feel we'll start to attract (or at least not scare away) people that are comfortable operating at layers of abstraction themselves, able to communicate with the deep domain experts AND product management, project managers, leadership, etc. This might help to chip away at the professional impedance mismatch you're noting towards the middle.
That said I do think there's another part of this problem...security vendors have been selling garbage visualization products for at least 20 years now and over-promising greatly what they can do. Anybody that's been burned is going to be incredibly skeptical of something new...especially if it is billed as a way to visualize 'security' and not a laser-focused sub-domain with ample options for extending the visualization for corner cases not included in the tin.
You mean companies have been buying garbage visualization products...if IT spent money on things that actually move the needle on security (training and career paths for engineers, skilled managers, rewarding quality over velocity, long term thinking execs, investing in open source ... to name a few) then vendors wouldn’t be able to sell garbage. Instead IT depts settle for glitzy UIs that plaster over the real (deep and pervasive) culture, HR, and organizational issues.
Indeed, there has been a lot of flashy useless stuff. Looking back at the days of products like silentrunner, intellitactics, and then the tyranny of radial diagrams and chart junk that followed, it's littered with failed dreams. Viz has a GIGO problem (garbage in, garbage out) and a big part it is the lack of methodology and general maturity of the field.
I'm currently re-designing our security architecture engagement process to be more compatible with the velocity of agile. We're finding that speaking a common language and working within the commonality is key to our success. Another tenant is decentralization and manage by exception.
Common visualizations are interesting, but second order to designing a process that works. However, it would be nice to have a library to pick from, as opposed to have to create something ourselves.
Thanks for sharing! It’s not clearly visible but they have personas of end-users they hope to target. Specifically civil rights activists, CISOs, state officials and journalists. Can be consumed through technical or policy reports, presentation decks, and news articles and more.
> The cost of running insecurely should exceed the cost of making it secure.
This was suggested by Bruce Schneier, as well, in one of his books, citing the example of rising difficulty of credit card fraud now that the credit card companies are held wholly liable for it.
>citing the example of rising difficulty of credit card fraud now that the credit card companies are held wholly liable for it.
The people that are held liable for credit card fraud are, ultimately, the merchants. If someone uses a stolen credit card, it's the merchant who is left without any money after shipping their goods.
Nice, this is a timely challenge for me since I’m making a career switch from UX/UI design towards cyber security (background is CompSci so get to dust off some knowledge I didn’t get to apply much since graduation).
So far it’s just been a lot of theory (books, man pages, reading PoC code and vulnerability disclosures, dusting off old texts on networking) and practice (CTFs, bug bounty, writing my own exploitable apps then fixing them after, trying out PoCs) since I want to hit a certain level of competence before applying for jobs.
I’ll be talking to contacts in cybersec and HR/recruitment departments in my area since the hiring filter is a bit of a concern. I’m used to going around HR, but not sure how that plays out in this industry. Despite doing front-end and full-stack development for every position I’ve had I do feel I need to groom my experience a bit to downplay my UX/UI contributions. Worst case is I get certs like the OSCP you’re getting to speed things up.
After doing design for so long I just didn’t feel excited about what I was doing day-to-day nor did I find the discussions in the industry that interesting.
But I never really got tired of programming and at this point in my life the latter meshes better with what I’m interested in – privacy, encryption, hardening or subverting systems, etc. – than the former. I also get to reapply knowledge that was abstracted away while I predominantly did front-end development.
This is doomed to fail. Imagine making a challenge aimed at reducing the use of click-bait titles by encouraging examples of more accurate titles for articles. Do you really think anything coming out of such a challenge will be effective in reducing the use of click bait titles?
No, because ultimately titles, like images, are made to quickly capture people’s attention, and using images of “real” cybersecurity would be boring. Are you gonna show a WAF? Some logs? A usb?
Better to show a disheveled Russian in a grungy room filled with cigarette smoke and empty vodka bottles. People will associate cybersecurity with whatever they see in movies and shows.
