Hey boffin, take a walk on the wild side: Stuffy academics need to let out their inner black hat
If hackers and nerds played together nicely, security would benefit, reckons compsci boffin
Academics and grey-hat bug-hunters are a lot more alike than they care to admit.
This is according to Anita Nikolich, a computer science fellow with the Illinois Institute of Technology and former cybersecurity head at the National Science Foundation in the US.
The problem, he said, is a gulf between the academic world of university researchers pushing papers and the "underground" world of hobbyist hackers, bug hunters and grey-hat researchers who actually hammer on products.
Traditionally, academic research was seen as more theoretical and abstract, while underground hacking dealt with breaking actual products. More recently, however, the two areas have increasingly overlapped, and many would be hard pressed to tell the agenda of DefCon from that of an academic security conference.
"It struck me as ironic that over the past 10 years it is getting harder to tell the difference," Nikolich mused. "Academic and non-academic research have become indistinguishable from one another."
This has lead to some missed opportunities in recent years. For example, last year's work at the DefCon voting village touched on problems academic security researchers have known about for years without the public noticing, while in 2011 researcher Jay Radcliffe had his groundbreaking research on hacking insulin pumps held back by academic journals that refused to take a paper from someone who didn't have a PhD.
In both cases, a bit of flexibility and understanding could have benefited everyone.
With their areas overlapping, Nikolich said he sees a need for academics, hobbyists and professional hackers to find common ground and share their ideas and findings with one another.
This approach has in the past yielded success. Nikolich pointed to Darpa's highly successful "cyber fast track" programme and the explosion of bug bounty and "I am the cavalry" programmes in shedding light on potential risks.
For the gap to be bridged, however, both sides will need to become a bit more flexible in dealing with the other.
For academics, that means inviting people from non-academic backgrounds to participate in conferences and, more importantly, get themselves into the running for grant programmes that would let them pursue and share their findings in academia.
"Sponsor non-academics," Nikolich advised, "there are a lot of very smart people, get them to participate on grants."
Non-academics, meanwhile, would be wise to practice a bit of "matchmaking". Teaming academics up with non-academics, particularly in conference settings, could help uncomfortable uni types open up and get both sides bouncing ideas off one another. ®
Sponsored: Becoming a Pragmatic Security Leader