Getting stuck in a lift with any stranger can be a daunting experience. Contrary to what many claim, there is no scientific evidence to prove that getting stuck in a lift with the Infosec Cynic causes any form of long term damage.

Recently, the Cynic found himself stuck in a lift with Nathan Reynolds, a highly regarded Infosec professional, this is what he had to say for himself.

I am:

Nathan Reynolds, 34. I often describe myself as an Information Security and cryptography nut. I’m quite sure others use a more colourful choice of words.

I got to where I am today by:

I can track my love of computers and security back to a single movie, ‘Wargames’. It inspired me to crack out the ZX Spectrum (being a child of the 80s) and create my own password program. Which my encouraging dad then cracked. So I set about writing a ‘better’ password program. I was about seven years old.

I first actually started being paid for working with computers as an IT Technician for a local college, whom I had written a small security program for. I then left to work in London as a Network Manager for a consultancy company, and was hired out as a Security consultant. Then off to a work for a software development company that was creating a vendor-agnostic policy-based network management suite, primarily for telecommunication companies.

It was at this point that I ditched any focus on Microsoft, stopped maintaining my MCSE, and started running GNU/Linux on my desktop.

Primarily because I was expected to manage a few GNU/Linux servers, some with experimental kernels. Secondly because it had an ‘enthusiast’ edge to it, which I used to enjoy in the 8-bit days. I moved from Network Management to Information Security. I then attained a CISSP, home-brewed an Enterprise Log Management system for my employer, and then changed companies.

So now, I work for a twenty-thousand seat automation company primarily providing security consultation in IT projects, and running a few of my own projects as well.

It seems I came through the technical ranks, and then because I accrued knowledge in many aspects of IT and security, I became well suited for design, architecture and consultancy type roles. I absolutely eschew all management roles, because I don’t believe my talents are in people management, so I don’t see why I should stem my potential just to fit with the typical concept of progression within a company. I prefer to keep focusing towards specialization and research.

Before I became an infosec professional I wanted to be:

A scientist. I have no idea why; something about the lab coats and mixing highly-volatile chemicals just seemed very appealing. Is every five year old with a magnifying glass a pyromaniac? Either way, it seems to be slowly happening, as I’m also nearing completion (last year) of a Masters of Science in Computer Security. Although I seem to have traded test-tubes and pipettes for a keyboard and a mouse, and a penchant to have an opinion on just about everything.

Describe Infosec in three words (or a few words):

Process, Education, Moderation.

The biggest misconception about infosec is:

That Security is some tangible commodity that can be sold or purchased.

Security, and assurance are derived from the value given by a well designed and developed architecture or system, and associated processes.

The concept that one can nip into a High-Street shop, and purchase a wireless router that must be secure, ‘cos it’s got a big sticker that says ‘Secure’ on it, just doesn’t make sense. Would we trust a financial advisor with temporary offices in a pub, just because he wears a badge that says ‘Honest’?

The next big thing in infosec is:

From an academic perspective, I think semantic aware web-services, the Semantic Web, Web 3.0, whatever-we’re-calling-it-today, are going to be very educational for the Information Security practitioner. We’re going to see some big information leakages as organisations struggle with securing data, meta-data, and meta-meta-data. All of this will probably come too late for most, as semantically linking repositories of information to form ontologies is going to be huge for creating easy to execute inference and aggregation attacks.

My favourite saying is:

It’s more of a quote, but currently it’s: “He who receives an idea from me, receives instruction himself without lessening mine; as he who lights his taper at mine, receives light without darkening me.” — Thomas Jefferson.

Three people I want to have dinner with are:

David Mitchell, Douglas Adams, Craig Charles. I think that would cover all forms of humour for high probability of a comical evening to ensue.

Of course, I’d rather Douglas Adams had still been alive for the meal, but either way it would still be an eventful evening.

Infosec’s greatest weakness is:

Infrastructure. I’ll elaborate, as some organisations have grown they’ve added additional departments, and now Information Security is a separate team that want their own devices that no one else should have access too. This is counter-productive, as just about every piece of hardware or software in the IT industry has security functionality, settings to configure, etc.

So apart from the obvious devices that only have a security function, Information Security teams should adopt a more advisory role in configuration baselines for other IT teams. As opposed to all buying slightly different devices that have overlapping functionality, when one box would have done. Not only does this reduce spending, but it reduces complexity, and creates a more supportable environment.

As for the ‘rogue administrator’ argument, well it’s possible to have rogue administrators in Information Security as well. In a typical organisation they’re all vetted by the same Human Resources department, so you’re entirely dependent upon their process when assessing corruptibility, ethics, etc.

I am quite good at:

Poetry, oddly enough. I advocate developing language skills, as an important pursuit. Developing language helps to develop and vocalise ideas, and therefore increase overall understanding and independence of thought.

The weirdest security question I’ve ever been asked was:

“Should I trust this web-site? As I want to buy something off them.”

“You tell me. Do you trust them?”

The last time I was truly amazed was:

A holiday in Egypt in 2005. Having been a keen child Egyptologist (like every child), it was simply fantastic to have all the historical facts, and religious structure brought to life, in a very clear and defining way. Many ‘nature’ religions are quite blurry in their depiction of astronomical events, and life and death symbolism, but the religion of and symbolism of ancient Egypt is simplistic and clear, and will probably produce an epiphany in most people.

Lying in bed at night I often wonder:

Why o’ why did I drink that Pepsi Max after eight o’clock!?

Realistically, the best thing that could happen tomorrow is:

For Microsoft to go out of business. And I say that without malice or vehemence. Microsoft have been slapped on the wrist a number of times for anti-competitive behaviour, they abuse their deployment base and espouse a proprietary ethos which plunders freely available ideas and standards, and then produces monstrous products that support utterly unrecognisable standards.

They’ve also encouraged a culture of charging for the smallest of things (assets or software that had very little development effort), and of computing which works against the user, and damages the computing industry as a whole.

They’ve also managed to produce an OS that seems to display a user interface before the device has fully ‘booted’ thereby tempting me with interaction, whilst at the same time being totally unresponsive.

Don’t worry though, Apple and Google come a close second and third for that top spot. It’s our job to keep big organisations on their toes.

I’d be lost without my:

My iPhone. It’s just such a handy device. Ok, I’ve had to hack the crap out of it to get it to a state that’s workable for me. But it’s pure pleasure to be listening to tunes, to have them subtlety interrupted by an incoming call, and then have them fade in once the call has ended.

It’s the first combination device that just works. Forget dual cassette VHS players, DVD Televisions, or Microwave Oven and Grills, the iPhone actually does what it set out to do, be the single device that replaces phones, PDAs, media devices, and hand-held gaming devices.

Contact me:

Anyone interested in discussing any elements of Information Security and Assurance, future technologies and applicability, etc. can contact me via by blog, http://blog.yibble.org/ Or if for some reason you’d like to hear about the inane things in my day, you can follow me on Twitter, http://twitter.com/yibble Or e-mail me directly, yibble@yibble.org my OpenPGP-compliant key is available on most popular key servers.”