Chad Rikansrud on Being an Ethical Mainframe Hacker
Reg Harbeck: Hi, I’m Reg Harbeck and today I’m here with Chad Rikansrud who is a mainframe hacker at RSM Partners—ethical mainframe hacker—who has got some really interesting background among other things has the interesting Twitter handle of @Bigendiansmalls. So Chad, maybe if you can start by just telling us, how did you end up on the mainframe and becoming a mainframe hacker?
Chad Rikansrud: Well thanks, Reg. Thanks for asking me to come talk about this and I appreciate you throwing the ethical part in there though those of us that bandy about the hacker term pretty much use it as just a term to mean somebody who likes to figure out how things work or maybe use them in a way that they weren’t meant to be used, but not necessarily connotating that we’re stealing things, if you will. I worked for a large financial institution for 20 years prior to the last couple and in the last part of my tenure there, I managed mainframe infrastructure, specifically the storage, so all of the data basically. I owned all the data and I’ve always had a penchant for security; combine that with the fact that I’ve always had a penchant for how things work. As a kid, I would go to these little rummage sales. I grew up in a small town and we’d go to these rummage sales or garage sales. I would buy old TVs, radios, safes, locks, you name it. I’d take it home and just disassemble it down to the wires and capacitors until I had them all out on the table and then you know probably just pitch it at that point but I had an insatiable need to understand how things work and also just a little bit of a deviant side in trying to get away with something or trying to figure out how could we sort of poke our finger in the eye of the authority that tells us, this is how this should be done. So if you combine all those things, a little bit about me and the position I was in which was managing and being responsible for all the data for this global bank, I quickly came to the idea that: one, I was tired of management. I wanted to work for a living again; and two, in my love of security, I was doing a lot of things on the non-mainframe side, like how does malware work, what’s this thing called ransomware, what are the bad guys doing? It’s pretty cool from a sophistication perspective what they’re doing. Then it just hit me like a shot that there really isn’t anybody doing this on the mainframe, like that kind of research.
Reg: Yeah.
Chad: And I started talking when I was still at the bank and I talked at some of the hacker conferences like DEF CON and also SHARE. The first talk I submitted to SHARE was done in San Antonio a couple of years ago; I realized that I had hit my audience there and was on the uptick of people just starting to realize that maybe the mainframe is not a fortress. It felt like the calling to start pushing the envelope on this platform and bringing some of the tools, techniques and mindset of what goes on in this pretty pedestrian, pretty commonplace in the non-mainframe world to the mainframe world.
Reg: Interesting. Well this is really important stuff. You know I think you’re right. We on the mainframe take it for granted that the mainframe is this sealed fortress. I like to liken it Edgar Allan Poe’s story “The Mask of the Red Death” that when we think we are so safe and sealed that sometimes the threats can actually come from the inside. I think also one of the other challenges we have coming up on the mainframe is that the current generation of people who are mostly proven to be trustworthy are all retiring and a new generation of people who haven’t been vetted out yet are coming on board and not all of them are going to be good quality people.
Chad: Right. Right. I mean, when I was a managing person in the bank, I ran datacenter operations for quite some time and then I ran this infrastructure group, both very mainframe-centric, very heavy mainframe and I would say, with one or two exceptions, everybody who worked for me was 20 or more years my senior and I’m in my 40s, maybe 30s back then, so that’s kind of a nod to that but one of the interesting things is when I had this conversation. I was out in Las Vegas last week giving a presentation at Black Hat which is another security conference; one of the conversations I had out there is there is going to be an interesting paradox because in order to fix the issue with staffing, right. We’ve got a retiring aging workforce.
Reg: Yeah.
Chad: So in order to get new people in, one of the things we’re going to have to do—and you’re seeing it happen already—is make the mainframe more available. Right? You’re going to have to have like maybe a hobbyist version. You’re going to have to have more training. You’re going to have to have just the ability to get your hands on it because that’s one of the reasons we don’t have people in it now because there’s no reason for people to choose the mainframe coming out of school if they’ve never seen it, heard it, touched it unless they know somebody, because they can see, hear and touch all of the other things. They just can’t do it on the mainframe but the paradox is this: In making it more open, we are necessarily going to have more than adversarial nature coming up against mainframe. We’re going to see more threats because the more open it gets, it’s not going to be only the people who want jobs on the mainframe but it’s going to be people who want to see if they can’t find a way to exploit vulnerabilities, misconfigurations, or negligence on the platform, generally the latter and so it will be an interesting arms race if you will to see if we can get more people in to defend and protect and test this thing before we get more people who want to you know just sort of take it apart bolt by bolt maybe for their own nefarious reasons. I think they’re out there now but you know the more you make it open-it’s been a very closed ecosystem. The more you make it open, which I’m fully in agreement with by the way, the more you will find that we see both sides starting to gain some traction there so it will be an interesting few years I think.
Reg: Now you made me think of a number of things when you’re saying this. One of them is that at our current state of the mainframe, there seems to be two large groups of people on the mainframe that make up almost everybody and that’s the groups of people who don’t have inside information and the groups of people who are under NDA. Neither of those work with paradigms you’re talking about. How do we get to a place on the mainframe where people know stuff and they’re not under NDA?
Chad: Well I think it may be bloody. There may be some conflicts along the way. If you look back, history shows us how this works. If you look back ten years ago, maybe a little more, at the likes of Microsoft, Google, Apple, you know the big companies. When somebody found a vulnerability in one of their flagship products, SQL, Windows, whatever, a lot of times it ended with a lawsuit. One of those big companies, then they sue said researcher and it costs everybody loads of money, maybe the person gets jail time or a fine, maybe they don’t but it’s really an acrimonious horrible process. Well what happens now to anybody who is paying attention is, if you find a bug and send it to Microsoft, they just write you a check.
Reg: Bug bounty.
Chad: Bug bounty, right. And I mean that started with them just sending you a T-shirt and a thank you note. What they realized pretty quickly is that you have this ability to have a herd vaccination kind of thing, if you will. If everybody is out there poking at this stuff and you incentivize the people who have some ethics and some willingness. They don’t want to be a criminal cartel but they do want a little something for their trouble. A lot of times they just want recognition. Then all of a sudden you’ve got this ally, this massive group of allies out there who, when they find a bug are incentivized. It’s economics, right? To give you that information versus holding it because they’re worried they’re going to sue you.
Reg: Yeah.
Chad: I think there will be some conflict when it comes to this because what I think what’s going to have to happen is we’re going to have people start pushing that envelope and then we’ll have the first case where somebody releases a zero day or some kind of horrible exploit on Z publicly, doesn’t ask for permission, doesn’t go to IBM with it, just releases it publicly and then IBM has to scramble to contain that because now all of that stuff has happened behind closed doors and they’ve been able to keep a lid on it like you said with the lawyers but that’s not going to be forever. I think eventually we’ll get where we need to be. The second thing that needs to happen is we need all the companies—and we’re starting to see this—who spend the money with IBM who actually have the clout to tell them, “Hey, we’d like you to start easing into a model that’s a little bit more like what we see with the rest of our vendors,” which is much more open disclosure of vulnerabilities, a much more public discussion about these kinds of things and really let your technology do the talking. If your technology is as good as it is and we believe that it is, I think that it is, and then you shouldn’t really have to worry if these things are public or not public. I think that’s how it has to happen. We need a few good people to stand up and start fighting that fight. I’m not suggesting that we necessarily throw something out there. There’s responsible disclosure and all this kind of stuff but I’m saying that we need people who are unwilling to say “I’m not going to sign your NDA and I have this” and we will do a responsible disclosure, timeline or whatever the case might be but I think it has to go down that road to start affecting change.
Reg: Okay so now I have a sense that you have a vision for where the mainframe ecosystem will be at when we come to a more stable sustainable security posture whether it’s ten years or 100 years from now.
Chad: Yeah.
Reg: And as we think about how we get there, you know I’m assuming there are probably some technological solutions that have to happen but probably also some cultural solutions. What would you say are the most important things that have to change or happen between now and then to make that happen?
Chad: You know one of the interesting things is in a purely non-security capacity is technology, a combination of technology, tools and really just the awesome power of the next generation because, let’s face it: They’re all smarter than you and I are, right, and they grew up with computers in their hands. This makes a lot more sense to them than it did to us back in the 90s, 80s, 70s. I think a combination of what we’ll see is we’ll see people who understand the platform in a far more broad way so now you’ve got your network people, your operating system people, your storage people.
Reg: Traditional silos.
Chad: Right. Tooling will take care of a lot of those things that used to require a PhD heads down to be able to do storage management or workload management. There’s still going to be some of that, but tooling will take care of a lot of that and you’ll get people who understand the system more broadly. I think that will benefit everyone because you can, instead of having 50 people hired, you may be able to get away with having 20 people because they can all manage the system. You don’t have to have these silos of people and then the backups of those silos of people, which is how you end up with 50, 100 people in your mainframe shop. I think what we’ll get out of that way is just this broad sharing of knowledge and broad sharing of abilities that get us closer to the paradigms that have been set forth in how you manage systems at scale which, let’s face it: The rest of the tech community, they’ve got this figured out. They understand how you do this at scale. The mainframe is scalable from a performance perspective but the number of Windows servers that have to be managed on the network dwarf the mainframe. Right? So I think what we’ll see is something more like that. We’ll start to see more mainframe generalists and the good news is the kids these days will be able to pick this stuff up like no one’s business. Give me somebody who knows Linux or some other platform really deeply and I can teach them the mainframe. It’s not rocket science. It’s complex, but for the people who love it for the technology and who love it for the challenge, they’ll pick it up and they’ll roll with it. They’ll want to do these things so the good news is I think we’ll be able to get those people in there managing this thing in a much more sustainable and probably less expensive way, but we’ve got to start with investing in them. We’ve got to make the platform open. By open, I don’t mean open source. I just mean, get your hands on it, and then from a security perspective my tagline has been for years, we have to just treat it like another computer. We’ve got good policies and procedures on Linux, Windows and all of this stuff. We have to apply them to the mainframe. We can’t give it a pass. Mainframe is out of scope. We hear that all the time. We’re doing a pen test. “Mainframe is not in scope.” We just can’t have that happen. It’s going to be—it’s going to hurt for a little while. We were just at a place the other day where we scanned the mainframe and it crashed some CICS applications. It’s like listen, if I can crash them—
Reg: —they’re crashable—
Chad: —they’re crashable, and somebody else is going to do that and they’re not going to care so the good news is that a model has been set out there, Reg, and we have to follow it along; maybe bring some people kicking and screaming but we also have a lot of champions for this kind of stuff.
Reg: Excellent. Well this has really been informative and important. Anything else you want to just share with people, or have them keep in mind before we finish up?
Chad: I would just tell them if you’re interested in this sort of thing and you have some passion around this, get out of your comfort zone and go to some of these other conferences or read the research on what other people are doing on other platforms and then if you’re a mainframe expert already, just start to just jar your mind into what’s possible. But I learned a lot by going and talking to people who don’t know anything about what I’m doing and I don’t really know much about what they’re doing but I think that’s how you broaden your mind in bringing some of these ideas back so I’ll leave that as my closing.
Reg: Okay and then your Twitter handle is?
Chad: @Bigendiansmalls.
Reg: So B-I-G-E-N-D-I-A-N-S-M-A-L-L-S.
Chad: Yes, very nice. Yeah, exactly.
Reg: Perfect. Thank you very much Chad. It has been a real pleasure.
Chad: The pleasure is mine. Thank you.