Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Hacker Or Military? Best Of Both In Cyber Security
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
8/26/2014 | 8:02:26 AM
Re: generalizations (& broken stereotypes)
My guess is that your experience @atdre is not so out of the ordinary -- which is what (from an outsider's point of view) makes the people in this industry so fascinating.
User Rank: Apprentice
8/25/2014 | 6:10:51 PM
Broken every single one of your stereotypes except the college one, although I have ex-hacker colleagues that even defy that one. Wouldn't label myself as a non-military type (even though I've never been in any military) and wouldn't label myself as an ex-hacker type (even though many of my colleagues who are ex hackers would classify me as such).

It's important to live in both of these worlds for all of the spectrums of these personality types. We do have a common operational picture and a common enemy after all. I'd like to hear about more people like myself who break stereotypes almost categorically.

So the question remains... who will make the better leader? My bet is not on the current Whitehouse cyber czar or Jeff Moss. The best leader in cyber will be an Eisenhower, and his or her trusted advisors will be younger Scot Terbans and Ali-Reza Anghaies.
User Rank: Ninja
8/21/2014 | 2:48:35 PM
Re: Both sides of the fence
In my experiences, friction can happen regardless of background.

I have seen ex-military who simply did not get along with each other.

I have also see professional civilians that just didn't understand that there was no I in team and didn't get along with anyone...  at all!

If there were any common source of friction betwen ex-military and non-ex-military, it would be where planning efforts runs into innovation and creativity. 

Military doctrine almost always requires that planning take place at all time for all missions as much as possible.  Planning is central to classic strategic and tactical efforts with the goal of completion of a mission while mitigating loss and optimizing results with limited resources.

Creativity on the other hand requires the "blank sheet of endless paper" mentality where the only plan, if there is one, is to accomplish some kind of a goal.  Even the goal can be nebulus in that the creativity could be along the lines of "let us see what happens when we do this."  For military thinking, this is not a common practice unless it is encapsulated in a safe and predictable shell.  When working with tools and resources that can kill people, this is not a bad thing!

When both mindsets do come together with a common goal and genuine respect and understanding of the strengths and weaknesses of both sides of the fence, the results can be quite brilliant.  Example: DARPA.

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
8/21/2014 | 2:20:46 PM
Re: Both sides of the fence
Seems to me that there is complementar skill set between hacker spontaneity and military discipline. But that it could cause some friction at times. True? 



User Rank: Ninja
8/21/2014 | 1:22:03 PM
Culture differences are good.
A few years ago, I was engaged in a Red Team project that involved several professional pen testers.  If I recall, there were 9 people on the team.  It was a dream job for me because I had been given a chance to be on this team.  The team lead was more of a project manager with a background in pen testing.  A very organized and talented individual I would work for anyday.  Heck, the entire team was awesome.

One day, the team lead scheduled a meeting for us to get together to discuss some details of the project we were currently focused on.  The time of the meeting was at 1300 hrs (1PM for you non-ex-military types).

Four others and myself showed up 5 to 15 minutes early.

The team lead showed up about 2 minutes before the meeting start.  Pleasantly pleased to see some of the team there before he was.

The rest of the team showed up later...  anywhere from 10 to 30 minutes later.  The team lead said little other than "glad you could make it" and "we were just talking about...".  No facial expressions or body language of any negative sense was given.

The meeting progressed for awhile, some planning issues resolved, and everything moving along in the discussions.  We began to run close on time for the room we were in.

As the meeting was wrapping up, the team lead diverged from the discussion for a few moments.

He asked for hands in the air for those in the room who were ex-military.  All of us early birds raised our hands.  The other guys smirked a little. 
The team lead then said that if anyone is late, it was highly recommended they bring coffees or donuts for everyone. 
The smirks disappeared. 
It was obvious he was not pleased with the late shows.  He was smiling, but his countenance was not.

Nobody was late to any of his meetings again.  As I recall, the team lead also always brought donuts to the meetings regardless of his timing.  Always mixed variety, always first come, first serve on selection.

The team lead was not prior military, but he was the boss.
Big career hint regardless of background: Always never have your boss waiting on you.
User Rank: Moderator
8/21/2014 | 12:57:52 PM
Both sides of the fence
Great article.  I think many people forget that when it comes to IT security, there are definitely different approaches when it comes to how folks become involved in the community.  And with that, you clearly illustrate why we need both types of security folks, traditional, formally-learned and those who are more self-taught.  Unfortunately, in a lot of areas, these two types have strong stereotypes and those from the hacker community still have a bit of a "bad guy" type of image associated with them, despite their high desireability in the security industry.  Will these stereotypes change? Probably not, but hopefully articles like this will help illustrate why both sides are legitimate sources for security expertise.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-06-25
In the RSS extension for MediaWiki through 1.38.1, when the $wgRSSAllowLinkTag config variable was set to true, and a new RSS feed was created with certain XSS payloads within its description tags and added to the $wgRSSUrlWhitelist config variable, stored XSS could occur via MediaWiki's template sy...
PUBLISHED: 2022-06-25
Raytion 7.2.0 allows reflected Cross-site Scripting (XSS).
PUBLISHED: 2022-06-25
Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A stream configured as private with protected history, where new subscribers should not be allowed to see messages sent before they were subscribed, when edited causes the serve...
PUBLISHED: 2022-06-25
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated A...
PUBLISHED: 2022-06-25
ESP-IDF is the official development framework for Espressif SoCs. In Espressif’s Bluetooth Mesh SDK (`ESP-BLE-MESH`), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the `SegN` field of the Transaction Start PDU. This can resul...