Video - How to buy an ATM - Hacktivity 2017
A video of my talk about the process of buying and hacking an ATM
Art as a methodology for security research. Art and security share a lot of commonalities. In this article I discuss my research methodology which has evolved out of art.
My journey into security has not been a conventional one. I didn’t go to university and study computer science. I think my career could have taken a different route. I considered many different professions growing up, but eventually settled on being an artist. Yes, you read that correctly. I decided to become an artist not a security researcher! Historically art has brought visibility to lots of different issues. It’s incredibly powerful, and for that reason I felt it was the job for me.
As it turns out I didn’t become a full-time artist. Instead I work in security full-time. No loss though, my start in life has equipped me with everything I need to be a researcher. Art has helped me to foster all sorts of qualities that are important to security research.
“ What sort of person wants to make art in the first place? Artists are literally diseased people. We live with a condition, a disorder that questions the existing order of things. A disease with the world that cannot be cured but only managed as best as possible” – Tim Rollins
The more I’ve thought about it, the more I’ve concluded that art is related to security. I believe we in security can learn a lot from art. You see, Art is thought manifested, in the same way that a technical talk is. They are the product of slightly different processes, but they are much the same thing. Both roles require high levels of creativity and curiosity. Both Artists and Researcher has to “show” work as the outcome of their process.
Because of these similarities between Art and Research I have developed a unique approach to my work. I’d like to share part of this with you. It’s my toolkit that I use to foster creativity and support the research approach.
1. I use an Artist’s sketchbook
A sketchbook is a place where you can discuss and develop ideas. It represents an internal dialogue. A place to develop your ideas and record your thoughts before investing in something more time consuming. Consider it a recipe book that you can refer to in the future. A sketchbook can take many forms, but a common format is a notebook. Inspiration can come from anywhere. Keep in mind that thoughts that initially appear to be unrelated, may later find a connection. Your sketchbook doesn’t have to be a book, a wall can work just as well too!
2. I have a lot of hobbies outside of Information Security
The more the better. This is important because it helps you to be interested in the world. This will expand your source pool of inspiration, ideas and possibilities. This year I took a life drawing class, I taught myself to sew, and I taught myself to tile a kitchen. These activities seem unrelated to each other, and security. But in fact, hobbies teach a person how to apply ideas to real world scenarios, how to manifest ideas. Through the process of learning a new skill you will also gain new ways to demonstrate your research. The best way to show your idea may not be in a PowerPoint or in an electronic format!
3. I question everything
This hones the instinct to find issues. In all your hobbies you can practise expressing curiosity. Ask yourself, “Is there a way to modify this to provide different functionality? Or change functionality?” Question the logic of all things!
Let me give you an example of this works. At the end of University, I had a lot of artwork. In particular there was one piece, a photo sculpture, that I knew I couldn’t keep. I thought I’d have to throw this piece away. But in a passing conversion with a work colleague I found another option. He told me that a relative of his worked in a building near the Saatchi residence. Charles Saatchi is a super famous art dealer. Super famous! He has collected the artwork of Damien Hirst. In case you don’t know what that is, Damien Hirst cut a cow in half and put it in a display case. Enough said.
I wondered whether it would be possible to send Charles Saatchi my artwork. Honestly, I had nothing to lose. I had to get rid of the work anyway. But there a few issues. You can’t just send a high-profile dealer your artwork. These buildings are heavily monitored, and unsolicited parcels won’t be accepted. I wondered whether it would be possible to get my art into the building.
I worked on a plan to get the security guard to talk to his friends at the Saatchi building to let my package in. Off I went to the post office, with a very innocuous parcel. It looked like I was carrying a body wrapped in brown paper! It must have looked quite strange to the post office clerk. But they still accepted the package.
Only a few days later a received an email from staff at the Saatchi residence stating that they had received my work! I’m telling you this story because we in security call this, Social Engineering. I was able to do this because I asked myself “Is this possible?” instead of telling myself “There’s no way I can do that”.
4. The context for my work extends beyond security
The context gives your work meaning. It’ll show you platforms for sharing your work and the ways in which others have manifested their ideas. Ask yourself “Who are my peers?”. Don’t limit yourself to a single discipline. Look outside of security. Look at Art, Science, and Culture. This will build your motivation for continuing your work and give you additional ideas. My peers are Sammy Kamkar and Adam Laurie. But also an artist like Takis, who worked to make energy visible.
5. The first way to manifest your idea may not be the right way
There is a work by an artist called Joseph Kosuth. It’s called “One and Three Chairs”. In it we have a chair, a real chair that we can physically touch and sit on. Next to that is a photo of a chair, also undoubtedly a chair. Next to that there's the dictionary definition of a chair.
https://en.wikipedia.org/wiki/One_and_Three_Chairs
There are many ways to think about this piece of artwork. For me it illustrates the different ways of seeing and understanding the idea and meaning of a chair. What I want you to take away from this this is that there are many different ways of explaining a single idea. PowerPoint may be the first thing you think of, but there’s at least two other ways to do it.
For the longest time, Researchers have been explaining their findings to an audience in the same way. Using PowerPoint. Why is that? Is that because this is the most effective way of communicating ideas? I don’t think so. We, in security need to practise new ways of seeing and new ways of saying. Much like Joseph Kosuths work “One and Three Chairs”. We need to show our ideas, not just tell.