Is Security Research Always Useful?

This is an update of a post that originally appeared on February 19, 2016.

Anyone involved in the computer industry likely spends some amount of time reading about the latest security issues in books such as Machine Learning Security Principles. Administrators and developers probably spend more time than many people, but no one can possibly read all the security research available today. There are so many researchers looking for so many bugs in so many places and in so many different ways that even if someone had the time and inclination to read every security article produced, it would be impossible. You’d need to be the speediest reader on the planet (and then some) to even think about scratching the surface. So, you must contemplate the usefulness of all that research—whether it’s actually useful or simply a method for some people to get their name on a piece of paper.

What amazes me since I first wrote this blog post is that I have done a considerable amount of additional reading, including research papers, and find that most exploits remain essentially the same. The techniques may differ, they may improve, but the essentials of the exploit remain the same. It turns out that humans are the weakest link in every security chain and that social engineering attacks remain a mainstay of hackers. The one thing that has changed in seven years is that the use of machine learning and deep learning techniques has automated life for the hacker, much as these technologies have automated life for everyone else. In addition, a lack of proactive privacy makes it even easier than before for a hacker to create a believable attack by using publicly available information about an intended target.

As part of researching security, you need to consider the viability of an attack, especially with regard to your organization, infrastructure, personnel, and applications. Some of the attacks require physical access to the system. In some cases, you must actually take the system apart to access components in order to perform the security trick. Many IoT attacks fall into this category. Unless you or your organization is in the habit of allowing perfect strangers physical access to your systems, which might include taking them apart, you must wonder whether the security issue is even worth worrying about. You need to ask why someone would take the time to document a security issue that’s nearly impossible to see, much less perform in a real world environment. More importantly, the moment you see that a security issue requires physical access to the device, you can probably stop reading.

You also find attacks that require special equipment to perform. The article, How encryption keys could be stolen by your lunch, discusses one such attack. In fact, the article contains a picture of the special equipment that you must build to perpetrate the attack. It places said equipment into a piece of pita bread, which adds a fanciful twist to something that is already quite odd and pretty much unworkable given that you must be within 50 cm (19.6 in) from the device you want to attack (assuming that the RF transmission conditions are perfect). Except for the interesting attack vector (using a piece of pita bread), you really have to question why anyone would ever perpetrate this attack given that social engineering and a wealth of other attacks require no special equipment, are highly successful, and work from a much longer distance.

It does pay to keep an eye on the latest and future targets of hacker attacks. Even though many IoT attacks are the stuff of James Bond today, hackers are paying attention to IoT, so it pays to secure your systems, which are likely wide open right now. As one of my experiments for Machine Learning Security Principles, I actually did hack my own smart thermostat (after which, I immediately improved security). The number of IoT attacks is increasing considerably, so ensuring that you maintain electrical, physical, and application security over your IoT devices is important, but not to the exclusion of other needs.

A few research pieces become more reasonable by discussing outlandish sorts of hacks that could potentially happen after an initial break-in. The hack discussed in Design flaw in Intel chips opens door to rootkits is one of these sorts of hacks. You can’t perpetrate the hack until after breaking into the system some other way, but the break-in has serious consequences once it occurs. Even so, most hackers won’t take the time because they already have everything needed—the hack is overkill. However, this particular kind of hack should sound alarms in the security professional’s head. The Windows 11 requirement for the TPM 2.0 chip is supposed to make this kind of attack significantly harder, perhaps impossible, to perform. Of course, someone has already found a way to bypass the TPM 2.0 chip requirement and it doesn’t help that Microsoft actually signed off on a piece of rootkit malware for installation on a Windows 11 system. So, security research, even when you know that the actual piece of research isn’t particularly helpful, can become a source of information for thought experiments of what a hacker might do.

The articles that help most provide a shot of reality into the decidedly conspiracy-oriented world of security. For example, Evil conspiracy? Nope, everyday cyber insecurity, discusses a series of events that everyone initially thought pointed to a major cyber attack. It turns out that the events occurred at the same time by coincidence. The article author thoughtfully points out some of the reasons that the conspiracy theories seemed a bit out of place at the outset anyway.

It also helps to know the true sources of potential security issues. For example, the articles, In the security world, the good guys aren’t always good and 5 reasons why newer hires are the company’s biggest data security risk, point out the sources you really do need to consider when creating a security plan. These are the sorts of articles that should attract your attention because they describe a security issue that you really should think about.

The point is that you encounter a lot of information out there that doesn’t help you make your system any more secure. It may be interesting if you have the time to read it, but the tactics truly aren’t practical and no hacker is going to use them. Critical thinking skills are your best asset when building your security knowledge. Let me know about your take on security research at [email protected].

Developing Good Work Habits

Writing, like any kind of work, requires a certain amount of discipline. However, unlike many sorts of work, pounding away at the keyboard is only helpful when you have ideas to get onto paper (digital in most cases today, but the idea is the same as writing in the past). In order to become more productive, you must develop good work habits. Part of the task is to base your work habits on the kind of writing you do, your personality, and the requirement to get a certain amount of work done in a given time. It’s also important to consider your work environment.

I normally work a 12 to 14 hour work day, but I don’t spend all that time at the keyboard. My work day is split into one hour segments with 15 minute breaks. The day always begins with chores and breakfast for me. After all, everyone has to eat. During my first segment, I’ll answer e-mail, and then it’s usually time to take a break. I get some cleaning done or get the wood stove ready for the evening fire. The point is to get out of the office for 15 minutes so that I can rest, but also remain productive.

I am a huge believer in keeping your work environment clean and tidy. One of my best friends works in an Office and so they have a commercial office cleaning service to take care of their workplace for them. Clutter and dirt can be incredibly distracting and can even prevent you from enjoying your work which can have a detrimental impact on your productivity over time. Contacting cleaning services Red Deer, or ones closer to the office vicinity, will help keep everything together and clean. So whether you work in an office or from home, try to be as tidy as you can. Cleaning is also a great way to take a step away from the screen which is incredibly important for your creativity. Whilst cleaning is important, there will always be some jobs that people are unable to do. For example, cleaning the outside of the windows will be a difficult job for staff to do quickly whilst they’re in the office. This job will normally have to be done by a professional window cleaning company. Ideally, windows should be cleaned regularly, so it’s important that residential and commercial properties consider contacting their local window cleaners.


During the second segment I normally write as much text as I can. Sometimes this means pressing pretty hard in order to get the task done, but you need words on paper to move forward. Last week’s post mentioned some ways in which I get the job done. This segment usually goes by so fast that it seems as if I’m just starting when my timer goes off. Yes, I use a timer on my computer to keep a routine in place. Pacing yourself is important. At the end of the second segment it’s usually time to check the chickens and get any eggs they’ve laid. A walk outside is nice too. Sometimes I play Frisbee with the dogs or do some cleaning or even just enjoy some sunshine while I read the newspaper.

The third segment sees me editing the text I’ve written during the second segment and augmenting it. I usually end up with half again the number of pages that I had at the end of the second segment. The point is that the book has advanced, but that the text is also in better shape by the end of the third segment.

Depending on how everything has gone, I can sometimes fit in a fourth segment that I use to research new book material. I write ideas for the current chapter directly into the remaining blank spots so that I can start working on them immediately after lunch.

Lunch is an hour long. Afterward, I check on the animals again, check out the orchards and gardens as needed, and generally get things cleaned up. You’ll notice I do a lot of little cleaning segments during the day. For me, it’s better than trying to clean the entire house all in one fell swoop. Plus, I like a clean environment in which to work, some people actually do work better in clutter. There isn’t any right or wrong to the question of environment, just what works for you.

The rest of the day goes pretty much like the first part of the day went. I’ll have a robust writing segment after lunch, followed by an editing segment, followed by a research segment. It may seem mundane and potentially quite boring, but it’s an efficient way for me to work. Of course, you have to come up with your own routine-whatever seems to work for you. Keep trying different ways to approaching your writing until you come up with an approach that’s both efficient and rewarding. Yes, I’m quite tired by the end of the day, but I also feel quite happy with what I’ve gotten done. Let me know your ideas on writing workflow at [email protected].