
Cybersecurity Visuals Challenge - baud147258
https://www.openideo.com/challenge-briefs/cybersecurity-visuals
======
f00zz
Funny, as real-life "cybersecurity" work is not very visual (grepping through
log files doesn't look very sexy). I'm half tempted to put together a
ridiculous, Ghost In The Shell-like demo with 3D graphics just for the laughs,
though.

~~~
samstave
Jeasus - please do this.

~~~
f00zz
I'm actually working on this. Will post a "Show HN" if something comes out of
it

------
adulau
The "open" challenge is quite restrictive as it only applies to the following
countries: "Argentina, Australia, Brazil, Canada, China, Colombia, France,
Germany, India, Japan, Mexico, Netherlands, Peru, South Africa, Spain, United
Kingdom United States of America"

~~~
Gpetrium
It applies to 53% of the world population and was likely limited due to a
country's laws, ability to provide support to different languages, etc.

~~~
computerfriend
I would love to understand how laws or language requirements would produce
such a list.

~~~
Gpetrium
Here are a few things to think about:

\- A country or its institutions may be sanctioned by the sponsor's country.
Increasing the difficulty of processing financial rewards.

\- Increasing the number of languages covered by the sponsor via Terms &
Conditions [1] and Q&A support [2] increases the cost of launching the
challenge.

\- Some countries have stricter and/or ambiguous digital and financial laws,
increasing the risk and cost of compliance to the sponsors.

[1] [https://www.openideo.com/content/cybersecurity-visuals-
addit...](https://www.openideo.com/content/cybersecurity-visuals-additional-
resources?_ga=2.130999119.118220165.1564680375-106053002.1564680375) [2]
cybersecurityvisuals@ideo.com

------
rurcliped
The coolest cybersecurity job that ever existed was the cartoonist for JVN
iPedia. There were dozens of security alerts with these cartoons, although I
think only from 2007 until 2010 - for example:

[https://jvndb.jvn.jp/ja/contents/2007/JVNDB-2007-000398.html](https://jvndb.jvn.jp/ja/contents/2007/JVNDB-2007-000398.html)
[https://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000034.html](https://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000034.html)
[https://jvndb.jvn.jp/ja/contents/2010/JVNDB-2010-000040.html](https://jvndb.jvn.jp/ja/contents/2010/JVNDB-2010-000040.html)

------
Sahhaese
I don't have anything to contribute to the challenge but this is very much
needed and I hope this challenge produces a richer visual language.

Here's the BBC's "cyber attacks" page:
[https://www.bbc.co.uk/news/topics/cp3mvpdp1r2t/cyber-
attacks](https://www.bbc.co.uk/news/topics/cp3mvpdp1r2t/cyber-attacks)

Predictably the very first picture is a guy in a hoodie. In all the stories
they clearly struggle for images. They picture instead the targets or in some
cases resort to people holding laptops or phones or this garbage:
[https://www.bbc.co.uk/news/uk-england-
essex-48351510](https://www.bbc.co.uk/news/uk-england-essex-48351510)

------
motohagiography
Having spent some time down this route, the big question is, who consumes
these visuals, and what kind of decisions do they make, and how? I'm already
heavily invested in this, and it's still possible I've just got it completely
wrong and it sucks, but here's some insight on viz in the security field.

For the last year I have been presenting a set of visual models that allow
product managers (and people who hold solution risk but don't code) to
collaborate on threat modelling with their dev teams, because collaboration is
the only viable way to solve security, and it's the one thing we haven't tried
because the entire DNA of our field originates in a revolt against solving
problems merely by managing to get along with others.

Product and higher love it, but the resistance I have encountered has been
from security technologists whose work it simplifies because it does not
enable them to express their virtuosity.

The analogy I would use is it's has been a bit like showing a pianist a
sequencer/synthesizer or a percussionist a turntable. Excellent tools for
composition and making things other people want, but ones that debase the
artists investment in talent and physical skill. It does not help them
actualize.

Security people become extra suspicious of data viz because they sense they
are the ones being persuaded to trust the person who came up with it, and
their mission in life is to dig beneath representations. Viz can have the
opposite of its intended effect by reducing team alignment as the result of
the most technical people defecting in response.

What I have learned about colleagues in the security field is that they want
tools to help them become things, not reports to relate with and broker
things. Security people tend to want to be powerful outsiders, hackers,
researchers & scientists, sheepdogs, magicians, etc. They generally do not
want to be the insiders, deal makers, enthusiasts, collaborators, persuaders,
deciders, or other people who operate on the level of abstraction where they
consume and present visualizations and other representations. If we did,
learning about crypto primitives and to reason in BAN logic is the least smart
way to achieve that. Similarly, nobody masters the oboe to be cool and popular
like a DJ, and while they appreciate the difference it makes in a song, most
people are indifferent to whether it is synthesized.

So long as a tool lets a project manager move a risk item from Red to Amber to
get them through a project gate, they wouldn't care if we in security used an
interpretive dance troupe. The threat modelling tools today are basically toys
for technologists where decision makers see them and say, "great, you've shown
us how smart you are, what will it take to get you onside?" The irony is that
this is success from a security perspective, because it gets them a seat at
the table.

So why say this at all? Because the revolutionary change that will solve
security will not come from data, or individuals demonstrating how brilliant
they are. It will be a function of collaboration, facilitated by clear
representations of shared understanding, and alignment of all parties on
incentives and risks.

That last part is the Hard problem, because it's fundamentally political, and
the one as technologists we are least equipped to resolve. This data viz
challenge is a fun idea, but it would be helpful to know just who they think
will be the consumer of these visualizations, and what they would do if one
were perfect.

~~~
jcims
I've been at this a while and I think you touch on a few great points here
(and generally agree with all of it) Security pros as counter culture cats has
been a thing from the beginning. It still exists of course, but I do believe
it's getting better and even as a generally conservative old white incumbent
male in the field I give most of the props to efforts to improve diversity and
inclusivity in the ranks. With this I feel we'll start to attract (or at least
not scare away) people that are comfortable operating at layers of abstraction
themselves, able to communicate with the deep domain experts AND product
management, project managers, leadership, etc. This might help to chip away at
the professional impedance mismatch you're noting towards the middle.

That said I do think there's another part of this problem...security vendors
have been selling garbage visualization products for at least 20 years now and
over-promising greatly what they can do. Anybody that's been burned is going
to be incredibly skeptical of something new...especially if it is billed as a
way to visualize 'security' and not a laser-focused sub-domain with ample
options for extending the visualization for corner cases not included in the
tin.

~~~
rficcaglia
You mean companies have been _buying_ garbage visualization products...if IT
spent money on things that actually move the needle on security (training and
career paths for engineers, skilled managers, rewarding quality over velocity,
long term thinking execs, investing in open source ... to name a few) then
vendors wouldn’t be able to sell garbage. Instead IT depts settle for glitzy
UIs that plaster over the real (deep and pervasive) culture, HR, and
organizational issues.

------
lifeisstillgood
I have always thought that "solving" cyber security was fairly simple.

The cost of running insecurely should exceed the cost of making it secure.

Usually this is done by the Board firing the CEO and the next CEO firing
anyone who fails to improve

For a long time it has been better to do your job insecurely than to fail to
do your job whilst being secure.

GDPR, equinox, target are starting to change that

In short, the CIA is very good at operating with high levels of cyber-
security. Do as they do.

~~~
ignoramous
> The cost of running insecurely should exceed the cost of making it secure.

This was suggested by Bruce Schneier, as well, in one of his books, citing the
example of rising difficulty of credit card fraud now that the credit card
companies are held wholly liable for it.

~~~
alasdair_
>citing the example of rising difficulty of credit card fraud now that the
credit card companies are held wholly liable for it.

The people that are held liable for credit card fraud are, ultimately, the
merchants. If someone uses a stolen credit card, it's the merchant who is left
without any money after shipping their goods.

------
eswat
Nice, this is a timely challenge for me since I’m making a career switch from
UX/UI design towards cyber security (background is CompSci so get to dust off
some knowledge I didn’t get to apply much since graduation).

~~~
ChuckNorris89
Nice. How do you plan to manage the switch?

In my area cyber security companies only hire people with the same background
and experience. Without that, HR will just filter you out.

I'm like you, CompSci degree with embedded background and working on my
Offensive Security certificate.

~~~
eswat
So far it’s just been a lot of theory (books, man pages, reading PoC code and
vulnerability disclosures, dusting off old texts on networking) and practice
(CTFs, bug bounty, writing my own exploitable apps then fixing them after,
trying out PoCs) since I want to hit a certain level of competence before
applying for jobs.

I’ll be talking to contacts in cybersec and HR/recruitment departments in my
area since the hiring filter is a bit of a concern. I’m used to going around
HR, but not sure how that plays out in this industry. Despite doing front-end
and full-stack development for every position I’ve had I do feel I need to
groom my experience a bit to downplay my UX/UI contributions. Worst case is I
get certs like the OSCP you’re getting to speed things up.

------
samstave
Not a single example of something on the main page of the site?

Lame....

Gimme a visualization of TLS for example...

WTF

OK Cool downvote me: but put a freaking visualization example on the fucking
main page...

------
xwdv
This is doomed to fail. Imagine making a challenge aimed at reducing the use
of click-bait titles by encouraging examples of more accurate titles for
articles. Do you really think anything coming out of such a challenge will be
effective in reducing the use of click bait titles?

No, because ultimately titles, like images, are made to quickly capture
people’s attention, and using images of “real” cybersecurity would be boring.
Are you gonna show a WAF? Some logs? A usb?

Better to show a disheveled Russian in a grungy room filled with cigarette
smoke and empty vodka bottles. People will associate cybersecurity with
whatever they see in movies and shows.

