In this edition of Hacker Conversations, SecurityWeek talks to Alex Ionescu, a world-renowned cybersecurity expert who has combined a career as a business executive with that of a security researcher.
The goal of Hacker Conversations is to talk to cybersecurity researchers to better understand how they fit into and operate within the cybersecurity ecosphere.
Ionescu is currently technical director, platform operations and research at Canada’s Communications Security Establishment (which has responsibility for foreign signals intelligence and communications security, protecting government networks, and being the nation’s technical authority for cybersecurity and information assurance).
Before that, he was VP of endpoint engineering at CrowdStrike, and is the co-author of the last two editions of the Windows Internals series. He talked to SecurityWeek for this series on his experience as an independent security researcher.
What makes a security researcher?
“The cliché answer,” says Ionescu, “is ‘curiosity’. It’s more complex than this; but basically, it is an insatiable need to know how things work, and why they work.” One thing it doesn’t need is a desire for fame and fortune. A lot of fame and a degree of fortune can be obtained (and we’ll meet researchers in this series who have done just that), but it is the exception.
It’s the process that must appeal. “You could spend years researching something and, in the end, it amounts to nothing more than knowledge gained. It’ll have no value beyond that,” he continued. “So, you must have that curiosity that makes you say at the end of the day ‘Oh, I’m glad I learned something that I can share.’ If you’re in it just for fame or just for money, it’s going to be disappointing quite quickly, because you generally don’t get there; or get there very rarely.”
This introduces two further personality traits that will benefit the researcher: patience and the lack of ego. Patience goes together with curiosity – neither work very well on their own. Research can be long and slow, so patience is necessary to keep going.
Ego is bound up with another characteristic – a desire to share what is discovered. There are caveats to sharing, which we’ll come to later, but in general researchers like to share their results because it can expand and improve the research.
‘‘I’m proud of the research that I do, and I know what I’m good at and what I’m not,” he said. “Usually, sharing my research will lead to feedback with criticism and praise.” But the researcher needs to be able to accept the times when there is more criticism than praise, and the ability to accept disappointment is also important. Ego gets in the way of this.
Finally, he added one more characteristic – this time not a requirement for research but a result of it: mistrust, and especially mistrust of the media. “I think there’s a large mistrust of media in general,” he commented, “because the media tends to cover up or ignore things sometimes. If it gets a ‘cease and desist’ from a Microsoft or a Sony… they’re typically not going to side with a loner in the basement when they’ve got a multi-billion-dollar company and their lawyers coming to their headquarters.”
The Asperger’s connection
In recent years there has been a suggested connection between Asperger’s syndrome and both white hat and black hat hackers. Asperger’s is a complex condition that is not well understood. It’s more accurate terminology today is ‘autism spectrum disorder/ASD’. It can – but not necessarily – combine social difficulties with high intellectual performance in a specific area. For the sake of argument over accuracy, we will describe such people as ‘high performing loners’.
Ionescu neither accepts nor rejects a connection – you don’t need to be a loner to be a researcher, but the occupation of research could be attractive to loners. “It is a world where you don’t need to be physically present. You can just send emails and write blogs and can hide behind a persona. Research certainly welcomes that personality trait more than other fields might.” But he adds, “Personally, I’m very extroverted, so it certainly isn’t a necessity.”
Far more important than any neurodiverse label, he says, is a willingness to learn and the ability to be patient – and the stomach for disappointment when things don’t turn out as expected. But he added, “it sounds cliché, but research is one of those areas where if you’re curious and patient and willing to learn, and if you work hard, you will get success. Sadly, the state of the security of most things in the world is that if you shake the tree hard enough, you’ll find things. So, you just have to have that patience and that work ethic.”
How do you get started?
All of this begs an important question: how do you get started in this profession? “For me,” said Ionescu, “it was a self-taught natural progression from a hobby. Growing up in Romania, I was lucky to have access to a computer at home from the age of four.
“I was just always fascinated with how things work and what makes them tick – and the thing that I had in front of me was a computer. So, I started messing around with it in various ways, for myself really. And then the Internet came along, and I started meeting people that had similar interests.
“I think I was very lucky from a time perspective with the internet. With it came an evolving hacker culture and then all the forums. I found that while I was doing my thing, others were doing the same. Those two worlds intersected and through various contacts, people, websites, it developed into a full-time hobby, and eventually a job.”
The basic scenario he described is one in which the profession draws in the natural hacker into becoming a researcher – it could be black hat or white hat, although in Ionescu’s case it was white hat.
Income, and the choice between black hat and white hat
It should be asked where an independent researcher gets his income, and whether there is any temptation to go to the dark side. This is particularly relevant given the recent growth in the wealth of some criminal gangs. (Nation states also purchase exploits from the ‘open market’, but the delineation between whether that remains white hat or becomes black hat probably rests with which side of the geopolitical divide you call home.)
“There are numerous ways to earn money as a white hat researcher,” said Ionescu. “You can contract with a company to sell your research back to the company; or you can use one of the various bug-hunting programs. Many of the larger companies have their own vulnerability reward scheme.”
The two ‘wrong’ routes are to sell your research to criminal gangs or to weaponize and use it yourself. “Do that,” said Ionescu, “and you’re a criminal not a researcher.” Despite this, he recognizes the pressures, which have their own geopolitical divide. “In the States and Canada and Europe,” he explained, “you can earn a lot of money – hundreds of thousands of dollars – doing research for companies like Facebook. In Russia and Iran and China you probably can’t do this – but collaborating with or working for a criminal gang could earn the same amount – a lot of money.”
Socioeconomics also plays its part. “Take the family where the eldest child has six siblings, no father and a sick mother. There’s no income, but the opportunity to make some money by encrypting a few hard drives.”
Dissociation comes into play. Insurance will pay the ransom, so there’s no real harm done to anyone. “In exchange, the mother gets her cancer treatment or whatever is required. We could make a whole movie about this – we can justify why someone might want to go down that route in places where there’s not a lot of other opportunities.”
Responsible or full disclosure has been a perennial (‘heated’, says Ionescu) debate for more than two decades: should a researcher fully and immediately publicize discoveries to ‘force’ a vendor to fix the problems, or should the researcher disclose only to the vendor and work with the vendor to fix the problems before going public?
The intent is the same: to minimize the possibility of criminals exploiting the vulnerability. Full disclosure works to the principle that criminals may already know about the fault and are quietly exploiting it, while responsible disclosure says criminals will know about it the moment it is publicly disclosed.
“My personal stance,” says Ionescu, “is that full disclosure doesn’t help in most cases. There are corner cases, where the researcher may claim, ‘This company would not have done anything if we hadn’t put their face in the mud.’ But I think it is bad to make general policies based on exceptions.”
Against full disclosure are cases where criminals have used exploits published in Metasploit before the vendors had patched them. Supporting full disclosure is a current video gaming case.
On January 23, 2022, @DarkSoulsGame tweeted “PvP servers for Dark Souls 3, Dark Souls 2, and Dark Souls: Remastered have been temporarily deactivated to allow the team to investigate recent reports of an issue with online services.” The issue appears to be related to an exploit that had its effect published on Twitch.
Malwarebytes reported, “[A] Text to Speech voice kicks in and begins a long ramble aimed at the streamer. You’ll also hear the incredibly confused streamer in the background, talking about seeing ‘powershell.exe’ on their screen. Someone had gained control of his PC, mid-stream, to crash his game and autoplay the synthesized speech.”
The recording was apparently made and published out of frustration. An RCE vulnerability had been found in the game and reported to the publisher, but nothing had been done about it. The Twitch recording prompted further claims, with one user saying he had found and reported another (possibly different, possibly the same) RCE in 2020.
“My main reason for not being surprised is that I also reported an RCE to Bandai Namco in early 2020 and was met with the exact same radio silence,” Reddit user LukeYui told Video Games Chronicle.
At the time of writing, the Dark Souls PvP servers were still off-line with no further public comment from Bandai Namco. The implication is that in some circumstances, researchers may conclude they need to go public with their findings to ‘force’ a vendor into action. That’s the ‘full disclosure’ argument.
But Ionescu adds a further pressure against full disclosure – the legal issue. “Different countries have different laws,” he said. “In some cases, there are issues around the legality of reverse engineering, and in other cases the research may be something that cannot be allowed to reach certain foreign countries because it’s almost considered weapons research. Then there’s the possibility of copyright infringement and DMCA in the U.S. There are lots of laws around the world to navigate; so, there’s certainly a legal aspect to traverse if you want to be very loud and noisy and vocal about your research.”
SecurityWeek asked Ionescu what research had given him the greatest personal satisfaction. He replied that it wasn’t a specific result, but a type of research that pleases him most.
“A lot of security research is done by looking at X, and finding things wrong with X. I do a lot of that,” he said. “But what really makes me feel accomplished, and what I think everyone stands from better appreciating from an engineering perspective, is when I take X (which appears to be, for the sake of argument, ‘perfect’, as used and designed in, say, 1995), and then take Y (which appears to be, for the sake of argument, ‘perfect, as used and designed in say, 2005). Then take Z,” he continued, “which someone took, in 2015, by combining X and Y together.”
The engineers assumed ‘two perfects make an extra perfect’. “But the reality is,” he continued, “It’s garbage. I call it ‘emergent design’. It’s where two technologies that independently were designed for one purpose, and they’re perfect at it, were later combined into something that made the sum of the parts worse than the individual pieces. And of course, it’s even more fun when X and Y become A, B, C, D, E, F, G…”
Curiosity creates hackers (in the original sense of the word). Natural hackers get drawn into the world of research and become either white hat or black hat researchers. The black hat researchers become a threat to cybersecurity – the white hats are a boon.
“Many industries build lots of technologies where they simply don’t have the knowledge, the resources – I guess I could even say the will – to look at the security aspect,” says Ionescu. “So, I think we’re lucky as a society that we have these people that, thanks to their own curiosity and passion, are basically doing in many cases volunteer work; calling out how things could be better. Overall, we’re in a better place because people look at these issues – it’s good that we have these unbiased people doing research essentially for free. So, I’m happy they’re out there.”