There's Magic In The Madness, Just Ask Alice

so whenever I come to a conference I'm really intrigued about the process that a security researcher goes through to get to the point of presenting their findings I think that a lot of the time in this industry we spend time talking about the outcome of our work and not sharing with each other how we go about our work so before I ever presented at a conference I was really enthralled by the mystique that we grant researchers there's something about the process of being accepted into a conference that makes them feel like almost like they've got this Rockstar status and I think there's a few industries outside of security where we have a similar thing going on so if you look at musicians or

artists we also grant them this sort of special status and we somehow see that they're different from us but as it turns out it's not really the case so as a debt to myself and I think as a way to be more transparent to everyone in the industry I want to tell you a bit about my process for security research and I think it's quite unique it's one process so certainly other researchers will have a different process and I think for me they started before I entered the security industry so my secret is that I don't have a conventional education in computer science my entry into this industry was a little bit strange which I'll tell you about so when I was going

on I had I had a dream that I think a lot of people have when they were kids I dreamt about changing the world and I thought the best way to do that is to actually see myself in roles so I thought about the jobs that I could take when I was older so the first job I can say it was to be a ballet dancer it doesn't necessarily sound like a job that you can make a lot of change in but I actually believe that dance is a place that you can make a lot of change that's for sure but the problem with this is I was quite a tall child so this wasn't a profession

that I could continue and I also had a strong affinity with animals when I was growing up and I loved my pets and I thought maybe I can be a vet because I could save animal lives but the thing about being a vet is you're also responsible for the death of animals I also thought about joining the Royal Air Force because they have this program which sponsors you to also carry out your education so in return for meeting some sort of academic merits they will pay for your education so you can do your undergraduate and then you need to work with them for about five years afterwards but the problem with this idea is I figured I might end up dead

pretty quickly so eventually I settled on being an artist you see the thing about arts is historically it's brought visibility to all sorts of in Justices there's some really incredibly powerful work and it has a way of disseminating into popular culture so it affects the clothes that we wear it really affects everything that we do so art is something that I consider to be my mid my disease and it's helped me to foster all sorts of qualities that I think are really important to security and I'd like to share with you equipment by an artist called Tim Roland's and he says what sort of person wants to make art in the first place artists are literally diseased people we

live with a condition a disorder that questions the existing order of things a disease with the world that cannot be cured but can only be managed as best as possible and I think there's a few people set in this room that can probably relate to that idea so researchers have this incessant need to question the order of things and the more I thought about it the more I thought that art and security are actually related in some ways you see when you think about arts arts is actually thought manifested so if you go into a gallery and you look at artwork that is actually not too dissimilar from seeing a presentation where I talk about

my ideas or seeing some of the talks you're going to see later they're just a product of a different process so as you can see artists and security researchers have quite a lot in common I think if you're a security researcher if that's your full-time job or if that's something that you do independently outside of the work that you do on a day to day you have to spend a huge amount of time coming up with creative ideas you have to question a lot of things which is the nature of being an artist you also tend to spend a lot of your time alone and it can be quite a thankless job and interestingly enough a

lot of the time when you work as a researcher or an artist you can spend time exploring an idea at the end of it you might have nothing to show but both of these jobs share in common that at some point you need to show to the world what you've come up with so as a researcher that maybe that's you talk about your ideas internally to provide value to the company or that you go externally and you talk about your ideas at a conference so you might submit to a CFP so this is my methodology my toolkits and the things that I use as a way to live a very creative life it helps me to be a better researcher and

it's a process I've learnt from art so I'm calling it art as a methodology for research so the first thing is that creativity is obviously a big part of being an artist or researcher and creativity I like to think about like a muscle it's something that you have to use all the time because you never know when inspiration might strike you know what's really fascinating about creativity is that it's something that's innately human so when our brains developed when our frontal lobe developed that's the thing that allows us to be creative so that allows us to think ahead and to imagine different possibilities so the actual act of being creative is taking all the input we experience on a day-to-day and

combining that into different options it's not so much about coming up with an idea that doesn't exist but it's about finding different inputs in your life and you're coming up with a third option [Music] so the first tool that I use that artists use a lot is something called an artist sketchbook and this is a place where I think you can record your thoughts and have a dialogue with yourself before you invest additional time into making something so it can be a place where you record visual ideas it can be a place where you record written ideas as well and it can take many forms so here's an example by an artist called Olaf or Ellison and you may have heard

of him or you may not but he's quite a famous artist and in his work he asks us to reconsider our relationship to the environment and he's had an exhibition on at the Tate Modern in London recently and you can see the way in which he uses a sketchbook so instead of using a physical book on the left hand side we can see that the way in which he explores his ideas is he tapes things on the walls and then on the right hand side you can see his thoughts about materials and prototypes when he was developing a specific product so he made a solar-powered lights and here we can see the things that he's considered and

here's an example of my own sketchbooks this is the first time event showed anyone so I work on a wall quite a lot and I was thinking about how is it possible for us to introduce greater privacy into the clothes that we were so that's the consideration for this but of course it doesn't have to just be sketchbooks I also work a lot with notebooks and I think that they can be easier to work with I know a lot of people keep electronic notes but there's something nice about having tangible books that you can carry with you and if that doesn't work I also often take things to the wall so here you can see

my thinking about the magnetic stripe so I'm really fascinated by payments and so one of the things I've been thinking about recently is reconsidering our relationship to things that we think we know that we might take for granted so I've been thinking about the magnetic stripe on the back of a card so next this is a really important thing and it's something I would consider I would encourage everyone to do so I suggest that you get a hobby or multiple hobbies outside of information security and this is really important because what it does is it increases the scope of your inspiration so this year I took a life drawing class I taught myself to sew which you can see the product of

here we'll get into that later I titled the kitchen and I built an ottoman I did many other things as well and all of these things might seem unrelated to each other and they might seem unrelated to security research but the important thing about hobbies is that it teaches you how to manifest your ideas in the real world the thing is even if you're a security researcher the best way to explain your idea to the world may not be in the form of a PowerPoint and it may not be electronically so the more options you have for materializing your ideas the better ultimately okay this is this is what I would call a lifestyle approach

so question everything and this is really about being curious for the world it sounds like a very obvious statement and it's something that I think we all have as children that we grow out of as adults but this is really important so it's really important to be curious about everything around you even if you're making IKEA furniture and the question is can I put wheels on that what does it look like if I lie on the floor and look at the ceiling instead how does that change my perspective on the world and I'll show you how important this is even to my work alright so at the end of University I had made a lot of creative works and my

degree is in a creative subject and I didn't really know what to do with this physical work I didn't have the space I was moving out of student dorms and I thought I would probably just have to give away my work or throw it away and then I had a passing conversation with someone in my full-time job and they mentioned to me that they had a relative who worked in a building very close to a very famous art dealer called Charles Saatchi who at the time was collecting the works a very provocative artists such as Damien Hirst and he was cutting cows in half and I thought what if I could come up with a plan to send my

arts to this art dealer and I had one piece of art in particular

so I had a sort of 3d photo sculpture of myself and I thought maybe there's a possibility for me to send this in the post yes unbelievably to this art dealer and the thing about art dealers especially people of this caliber they don't accept unsolicited works so you can't just send a package to them even if you know the address because they won't sign for it that weren't accepted into the building so I worked out a plan to get the security guard of another building just sort of forewarn the people in this other building where the art dealer was so I took my photo sculpture so we say wrapped it up in brown paper it looked pretty much like

this so it looked pretty strange and then I walked it from my flats to the post office took it to the clerk and asked to send it and they looked at me pretty strangely I have to say but they did accept it and then a few days later I got an email we'll put that over there for now I got an email from the staff that Charles Saatchi saying that they have received my artwork so the point of this story is that this isn't about security but it's about having a mindset a lot of people would look at the story and say this is social engineering but it's about being curious a couple of years ago I managed to buy an ATM and

you can see my two cats er playing with the ATM which was a lot of fun and it sounds like a very hard thing to do which it is if you're an individual it's quite hard to buy an ATM if you're not a bank but the hardest part of owning an ATM is moving the ATM so ATMs weigh quite a lot and this ATM weighed a 50 kilos so close to a ton and as it turns out most of the couriers in London and the South East of England have a tail lift so that's the bit on the back of the lorry that goes up that's rated for a maximum of half a ton or 650 kilos

that was the the highest I could find yes so that's the big problem otherwise you need a crane and ATM as part of the security is not is about not moving the ATM so how did I figure out how to move the ATM well I thought that there's probably a bit of room for error in the engineering process and that's how I figured out how to move an ATM is I found someone who could lift 650 kilos and got them to lift 850 and it worked so the next approach that I would like you to embrace is to move your body I think in security and in tech we have this approach or the wheaten we quite

often think of ourselves as a head staring at a computer and that's how we live our lives the thing is everything that you do in your life is an embodied experience so you're not a head and the body you're actually a body and this is really important so I would encourage everybody whatever you're interested in to use your hands to make things to do things to it changes your relationship to your work so as example as I mentioned I'm interested in cards so today I turned up as an electromagnet now that might look very funny but you see dressing as an electromagnet changes my relationship to my own work and maybe it changes your relationship to the

ideas that I want to share so maybe it's not such a crazy idea to embody the things that you do so I am really an electromagnet and yeah I did say that I taught myself to sew and this is one of the outcomes of that so I don't know if you can remember that bar magnets they normally have a north and a South Pole and those poles are indicated by colors normally just to help it become a bit clearer for us so with an electromagnet the only difference is that you're passing a current through the magnet and if you change the direction of the current you can change the polarization of the magnet from north to south

depending on the direction of the currents [Music] all right so find the contacts for your work the context for your work as a security researcher and gives you meaning for doing your work it shows you other possibilities how you can manifest your work so this is really important and how you find the context for your work as you ask yourself who are my peers so who's operating this space you ask yourself what is the what is the reason for making my work and where is my work situated and what I mean by that is is it important that your work is situated in 2019 or does it have some relevance to other time periods so for

example for my own work what I do is I look at security research and I ask myself who's making work that might be relevant to mine so it might be someone like Adam Lori who's been around for quite a long time in the security industry but it's also artists so this is a Greek artist called Turkish who has been making a lot of work about manifesting energy so for me my peer group is also artists it's also people who are working outside of art and research so they might be working in science so when you find the context for your work it's really important not to link not to limit yourself to a single discipline I also find that children's

books are really informative because they have an excellent way of explaining ideas so I refer to those lots so who is my peer group my peer group for my own work of people like Samy Kamkar Adam Lori but ought to ask also artists so I've got these artists here Takas and a sound artists called Adam blame me so even if you're a security researcher you should look outside of your discipline there's a lot going on that could influence your work and why do my I make my work well I feel that payments aren't particularly well understood but also importantly I think education and this is one of the reasons why we're all here today is really

important and if you have the ability to share knowledge with other people then you should do so so next we enter the nothing is precious famous or this is where you start prototyping if you're a researcher or an artist and nothing is precious because at this point you don't want to invest too much in materializing your ideas you just want to work quickly and come up with different ideas so when I think about magnetic stripe see if I can get that supply so I've been thinking about magnetic stripe recently and a way of visualizing that so you can voice it visualize that by showing the magnets on the back of the card so this is furo fluid and what I did is I just

added a bit of water to it because fewer fluid has magnetic particles in it and it has a surfactant which allows it to bind to water so if you add a bit of water you can make it viscous enough to work to show up the magnets on the back of a cup which is pretty handy or you can visualize it like this you can actually use iron filings which will show you up the permanently magnetized parts of a card but there's another way to think about this as well so here I have some magnets which are polarized in different directions and another magnets so you can see as it moves it's either attracted or repelled from the magnets

so now we come onto the phase of manifesting your ideas so this is an illustration I've made of a work by an artist called Joseph Gustav and the work is called 1 & 3 chairs and in the work there's a chair that you can physically sit on and you can touch it's just a normal chair and the artist hasn't made the chair so he's bought the chair and next to the chair is a photograph of the same chair and next to that is the dictionary definition of a chair so what's happening in this piece of work well I think what it does is it shows us that there's many different ways of manifesting an idea so the first way in

which we think we can show our idea may not be the best way there's at least three others and I think insecurity for the longest time people like me have been standing on a stage talking to people like you about our ideas so defconn's been running for I think 27 years and CCC has been running for about 36 years and in most of the modern history of conferences people like me have been talking to people like you using a PowerPoint but why is that is that because powerpoints are the most effective way to show our ideas I don't actually think so so my thought is that in security we need to spend more time showing our ideas in a creative fashion

rather than talking about our ideas in art we use something called the studio critique to receive feedback now this is something that I think in the InfoSec industry we could definitely add so this is a way of receiving feedback on your thoughts and ideas your work in progress and also final ideas that you have to show and what you do is you construct a peer group of people you know and you go around your work and you talk about your work and you can get friendly feedback before you present say a conference or progress and the benefit of this is someone else might have a better idea or they might point something out in your work that you

hadn't even noticed now finally we're able to prepare to show our work to an audience so I'm going to show you an idea of mine in a slightly different way you've probably been wondering what on earth this is I don't know so as I mentioned I'm dressed as an electromagnet today so if you could imagine that every time the invisible electricity changes direction the magnet also changes polarization so if we take a look at the back of a card it has a magnetic stripe which is made up of magnetic material and then there's a layer of plastic over the top so what happens when we write information on a card so what happens is an electromagnet

passes over the back of the magstripe and it firmly magnetizes particles on them and it does that by changing direction from north facing to south facing so we end up with zeros and ones so when you pass the card back through a reader those different polarizations influence the signal so let me give you a demonstration I do have magnets in my arms all right so I hang on a second I actually need to get a camera because this is such a big auditorium I think you're probably not going to be able to see very well so let me see

all right hopefully this will make it a bit easier oh you see okay I think of okay I've still got audio right I'm gonna walk slowly right alright so I'm gonna walk slowly because there's a little bit of a delay can we drop the lights a bit is that possible well it's magic isn't it okay all right so this there is a bit of a delay isn't uh can we see that so what happens as an electromagnet passes over the back of the card is we can permanently magnetized the different sections of the magnet so let's have a look and we see that hello no that's very slow isn't it ah never do a demo live right all right we're gonna

have to just keep the lights down low and hopefully you'll be able to see the lights and I'm gonna go over it alright so imagine we're getting back into the mode I'm an electromagnet I'm now facing the magstripe now I can firmly magnetize this part of the magstripe so that it's North facing up I can then turn hopefully you can see this and permanent agatized this part of the magstripe can you see that at the back wow that's amazing so I can go along the whole card this is basically what's happening but on a much smaller scale and I can write to the card isn't that much [Laughter]

but there's one more thing all right we're nearly there if you've got this far if you're a security researcher or interested it meaning a security researcher now's the point where you need to iterate on your work and develop a body of work and that's really important because what it means is if you iterate on your work you can find subtle variations and you can build depth let me just turn this off leaping at us so building a body of work allows you to fully investigate an idea and I really think that's important so it's something that we do in arts quite a lot is an artist becomes known for a single sort of pursuit of an idea and

it's really important in research as well because you gain a lot of depth and finally at this point if you've been following my methodology you've become a researcher or an artist but guess what you don't have to define yourself as either you see the beauty of information security is that we welcome everybody and if you have interests outside of security you can integrate them into your into your work there's no reason why you can't thank you for having me [Music]

any questions no no questions all right enjoy the conference thank you so much