The driving motivation for almost all cybersecurity researchers is an insatiable curiosity – it’s like an itch that must be scratched. How that itch is scratched is the difference between different researchers.
Runa Sandvik describes herself as a ‘situative researcher’. Situated Learning is a concept that suggests learning cannot be maximized in isolation, but requires an understanding of context; that is, for example, the people, the technology, the intent and the use of the subject. She focuses her work on contextual mitigations for at-risk groups, and innovative solutions for journalist security.
Runa’s approach goes back to her work on the TOR project in 2009. “It got me involved in everything from research and development to project management and team building and training,” she told SecurityWeek. “Throughout this work, I needed to understand how people were using the software, the challenges they were running into, and how different governments in different countries were blocking people.”
The problem that TOR sought to solve could only be achieved by taking a situative approach to the solution. That situative approach has remained with her in her subsequent role as a security researcher.
Being a researcher
Beyond curiosity, Sandvik believes the researcher needs a degree of stubbornness. “A desire to go a little bit deeper and ask that extra question,” she said. “And also, in some cases, to do what hasn’t been done before.”
She accepts the correlation of the terms ‘hacker’ and ‘researcher’, even to the extent that you have white hat and black hat hackers, and white hat and black hat researchers. “There are still people who use the term hackers to describe researchers who are good at what they do, regardless of their motives.”
But she doesn’t accept the stereotypical image of the hacker/researcher as a loner sat in a darkened room in front of a computer. “I think that within the security community there are all sorts of people in all sorts of roles, and there are no more introverts in research than anywhere else,” she said.
For someone driven by curiosity to seek a profession in research, she suggests, “Start by asking yourself, ‘what really interests me?’ There are so many different options in this space. So, apart from the characteristics of curiosity and stubbornness, it is important to have an interest in the topic that you’re going to be examining.
“You’re not going to spend a Friday evening digging into a topic if you’re not interested in it,” she continued “So, step one is to narrow things down into what areas really interest you. Then find a community that does the same type of work. Listen to the conversations, see what’s been done and what research is going on – and look for areas no-one has tackled. Find the questions that no-one has really asked yet and try to figure out what you can do in this space.”
And then she adds one somewhat surprising piece of advice: “You need to have fun.”
There is, of course, a further characteristic required of all researchers without benefit of a trust fund – the ability to make a living. The question, then, is ‘how do researchers make their money?’
“In some cases,” said Sandvik, “it could be doing research for an established company working to improve a product for sale. In some cases, your knowledge could provide intelligence to other clients. In some cases, if you’re working for an NGO, it would be through external funding or donations from the public. And, of course, researchers can also earn rewards from bug bounty programs.”
Bug bounties can be a double-edged sword for cybersecurity. If a researcher’s discovery is ignored by the bounty program, or if the reward is not considered to be representative of the true value, the researcher may be tempted to sell a discovered vulnerability or exploit on the open market.
“It happens,” said Sandvik. “There are people who make different choices in what they do with the information they have discovered.” The morality or immorality of selling a zero-day exploit to the newly rich criminal fraternity is clear; but the morality of selling to a nation-state is ambiguous.
“It would depend on the government concerned,” she said. “But in both cases, whether a government or gang, you have no control over how your information will be used, or to what extent the information may be leveraged to create a product that could be used against, for example, journalists or political activists. In selling your information you give up any sense of control around how it is used – for good or bad. So, it comes down to who you are selling to and to what extent you trust them to be responsible.”
Geopolitical allegiances come into play here. A Russian researcher may see nothing unethical in selling a zero-day exploit to the Russian government, nor an American researcher in selling to an American or allied agency. It is only in selling to an ‘adversarial’ nation that the morality, or lack of morality, becomes clear.
Sharing and disclosing
Runa Sandvik’s preference for situative research lends itself to sharing. Her TOR project work and her work with ProPublica could not and cannot be done in isolation. At some point, however, all researchers must share their work – either with the vendor concerned or the wider public. This is when the researcher must choose between any of the variants of ‘full disclosure’ or ‘responsible disclosure’. Most white hat researchers prefer responsible disclosure; but few will condemn those who disagree.
Sandvik says simply, “There’s no right or wrong rule here. It all depends on the context. Responsible disclosure can lead to full disclosure if you don’t get any response from the developer.”
The disclosure issue abuts the legal issue – something that all researchers need to consider since there are different legal rules in different jurisdictions. In the U.S. there is no law prohibiting the fundamental process of research – reverse engineering – provided you are reversing a legally acquired product. But there are some restrictions: for example, you cannot use reverse engineering to develop DRM-busting software.
A EULA can also be used to limit the right to reverse engineer. It is a legal contract of use, and has been used by companies objecting to the publication of flaws found through reverse engineering. Consequently, in some cases it may be advisable to obtain the software developer’s permission first.
“In general,” says Sandvik, “things are more relaxed today than they were ten years ago.” The very existence of bug bounty programs demonstrates how attitudes to researchers have changed. Today researchers are more likely to be considered a boon to cybersecurity than a threat to products.
“But if you talk to people who did such research more than 10 years ago,” she continued, “and then presented at conferences like Black Hat and DEF CON, you will hear stories about how people came with a lawyer just in case any legal issues came up. Or in case law enforcement was present, or some company had threatened a lawsuit to prevent researchers from talking about their work – such occurrences were not uncommon, but it appears to be less of a challenge today.”
Effect on security ecosphere
Are security researchers really a boon to the cybersecurity ecosphere? “I believe they are,” said Sandvik – but how do you measure it?
“Consider the news about NSO Pegasus and the use of that tool,” she continued. “It is thanks to work done by Citizen Lab and Amnesty International and related groups that we know as much as we know now about the existence and misuse of that tool. Citizen Lab has been pushing out research on Pegasus since 2016 and in the last year we have seen sanctions against the company and we’re seeing greater pushback from different states — so there’s definitely a role for researchers to claim there is an importance in informing the public of their work.” In some ways the role of the researcher is like the role of the investigative journalist; whose only defense against aggressive and intrusive government can sometimes be the situative researcher.
Most satisfying discovery
SecurityWeek asked Sandvik what, among all her research and discoveries, had given her the greatest personal satisfaction. She thought for a moment, and then replied, “I would say that the project my husband and I worked on in 2015 where we hacked a WiFi sniper rifle was both very random and a lot of fun, and we both learned a lot. Given that people are still talking about it 7 years later is unexpected and satisfying.”
Runa is Norwegian. In good situative philosophy, she went with her husband to a gun show to better understand American culture. While there, they saw and bought a new a TrackingPoint self-aiming rifle with sophisticated features, including a smart scope powered by the Linux operating system and smartphone applications. It cost $13,000.
In their own time, the couple hacked into the weapon. “It was a fun day, tearing apart a $13,000 rifle,” Auger said at the time. The couple found that while they could not remotely fire the rifle (that’s a strictly manual process), they could remotely see the target through the rifle’s scope, could change the target, or could stop the rifle firing.
Talking about the rifle research, that word ‘fun’ cropped up again, used by both Sandvik and her husband research partner. We asked if ‘fun’ is an important part of her approach to research. “Yes, it is,” she said.
“Going back to the characteristics of the researcher and the amount of time research takes, if it wasn’t fun, people wouldn’t do it. You need to be excited by the process and to enjoy traveling to and speaking at and learning from conferences.”
She illustrated her point by adding, “There’s a great fun conference called PancakesCon organized by Lesley Carhart (director of incident response at Dragos). Every talk is beginner friendly and delivered in two parts. The first half of the talk is technical, but the second half of the talk must be something completely different. So, you could have a 20-minute talk about bug bounties and bug hunting and how that works, and then the talker switches to something like, for example, knitting socks. It’s just a fun way to connect with the community and talk about something that has nothing to do with the security work, and stay grounded.”
But apart from fun doing the research, there is also the sense of fulfillment in successfully concluding the research. “I get a sense of achievement when my research succeeds,” she said. “I get a lot of value from knowing that I am helping people do their work in a safe way. I really care about supporting and enabling people to do their work securely, and without this I’m a bit lost and floating around trying to figure out what I could do that would have a positive impact on the world.”
Related: Hacker Conversations: