The Securosis Intern and Contributing Analyst Programs

Update: based on questions over email- this is only part time and we expect you to have another job, and we are looking for 1-2 people to test the idea out. Also, if you are on the Contributing Analyst track, we’ll focus more on research and writing, and you won’t be asked to do much of normal intern-level stuff. Over the years we’ve met a heck of a lot of smart people, many of whom we’d like to work with, but we haven’t really had a good mechanism to pull off direct collaboration under the Securosis umbrella. Like pretty much any self-funded services company on the face of the planet, we need to be super careful on managing growth to limit overhead. We’ve also been dropping some activities over here that aren’t at the top of the to-do list, which is just as dangerous as bloated overhead. Right before Black Hat I tweeted that we were thinking of starting an intern program, and I received a bigger response than expected. Some of these people are far too qualified for an “intern” title. It also got us thinking that there might be some creative ways to pull other people in, without too much overhead or unrealistic commitments on either side. Being something of community and social media junkies, we also thought we’d like to incorporate some of those ideas into whatever we come up with. Thus we’re officially announcing our intern and Contributing Analyst program. Here’s what we are thinking, and we are open to other ideas: The intern program is for anyone with a good security background who’s also interested in learning what it’s like to be an analyst. We’ll ask for some cheap labor (writing projects, site maintenance, other general help) and in exchange we’ll bring you in, show you the analyst side, and give you access to our resources. We’ll pay for certain scut work, but it won’t be a lot. Floggings will be kept to a minimum, unless you are into that sort of thing. The Contributing Analyst positions are for experienced industry analysts, or others capable of contributing high quality research and analysis. We will ask you to blog occasionally and bring you in on specific projects. We will also support you if you bring in your own projects. In exchange, we will pay you the same rates we pay ourselves on projects, including some of the research products we are planning on producing. In both cases you will be part of the Securosis team – participating on briefings, using our resources, and so on. We realize there might be the occasional conflict of interest, depending on your current employer. Anyone in either program will be restricted from writing about anything that promotes, or potentially promotes, their current employer and will be restricted from briefings and proprietary materials from competitors. You’ll have to be firewalled off from any conflicts. Also, any potential conflicts will be disclosed on your site bio and in any publications. You’ll have to sign a contract agreeing to all this. You’ll get a Securosis email, direct blog access, internal collaboration server access, business cards, editorial support and use of anything else – like our SurveyMonkey account, and so on. We are really persnickety about how we write and the quality of our work. Anything you publish under our name will have to get approved by a full-time analyst and go through an editorial process that may be considered brutal, if not outright sadistic. We’ll train interns up, but any Contributing Analyst will be expected to write at the same level we do, and reviewed too. Unless you are already an established industry analyst (or have that experience) we will have you start in the intern program for a minimum of 3 months. This is so we can feel each other out and make sure it’s going to work. Anyone in either program can eventually become a full timer, if the workload and quality supports it. We don’t plan on “dictating” to people. We want to give you freedom to explore different research projects and new ideas. We’re totally up for helping implement (and even funding) good ideas as long as they support our no-bull totally transparent research philosophies. Basically, we want to expand the community of people we work with directly, even if it’s not a traditional employee/employer relationship. Eventually we’d love to have a network of contributors of different types, and this is only a first step. There are perspectives out there that no full-time analyst will ever get, by the nature of the job, and this might be a way to expand that window. We also think we can support some new, interesting kinds of research that might be difficult to perform someplace else. Think of us as a platform, especially since we don’t feel compelled to directly monetize everything we do. If you are interested, please email us at We’ll need a resume, bio, which program you are interested in, and why. We’ll have an interview process that will require some writing, presenting, and an interview or two. We only plan on taking a couple people at a time since it can take a lot of time to get someone up and running, but we’ll stack rank and fill in as we have the capacity to support people. Share:

Read Post

Mini Black Hat/Defcon 17 recap

At Black Hat/Defcon, Rich and I are always convinced we are going to be completely hacked if we use any connection anywhere in Las Vegas. Heck, I am pretty sure someone was fuzzing my BlackBerry even though I had Bluetooth, WiFi, and every other function locked down. It’s too freakin’ dangerous, and as we were too busy to get back to the hotel for the EVDO card, neither Rich or I posted anything last week during the conference. So it’s time for a mini BH/Defcon recap. As always, Bruce Schneier gave a thought provoking presentation on how the brain conceptualizes security, and Dan Kaminsky clearly did a monstrous amount of research for his presentation on certificate issuance and trust. Given my suspicion my phone might have been hacked, I probably should have attended more of the presentations on mobile security. But when it comes down to it, I’m glad I went over and saw “Clobbering the Cloud” by the team at Sensepost. I thought their presentation was the best all week, as it went over some very basic and practical attacks against Amazon EC2, both the system itself and its trust relationships. Those of you who were in the room in the first 15 minutes and left missed the best part where Haroon Meer demonstrated how to put a rogue machine up and escalate its popularity. They went over many different ways to identify vulnerabilities, fake out the payment system, escalate visibility/popularity, and abuse the identity tokens tied to the virtual machines. In the latter case, it looks like you could use this exploit to run machines without getting charged, or possibly copy someone else’s machine and run it as a fake version. I think I am going to start reading their blog on a more regular basis. Honorable mention would have to be Rsnake and Jabra’s presentation on how browsers leak data. A lot of the examples are leaks I assumed were possible, but it is nonetheless shocking to see your worst fears regarding browser privacy demonstrated right in front of your eyes. Detecting if your browser is in a VM, and if so, which one. Reverse engineering Tor traffic. Using leaked data to compromise your online account(s) and leave landmines waiting for your return. Following that up with a more targeted attack. It shows not only specific exploits, but how when bundled together they comprise a very powerful way to completely hack someone. I felt bad because there were only 45 or so people in the hall, as I guess the Matasano team was supposed to present but canceled at the last minute. Anyway, if they post the presentation on the Black Hat site, watch it. This should dispel any illusions you had about your privacy and, should someone have interest in compromising your computer, your security. Last year I thought it really rocked, but this year I was a little disappointed in some of the presentations I saw at Defcon. The mobile hacking presentations had some interesting content, and I laughed my ass off with the Def Jam 2 Security Fail panel (Rsnake, Mycurial, Dave Mortman, Larry Pesce, Dave Maynor, Rich Mogull, and Proxy-Squirrel). Other than that, content was kind of flat. I will assume a lot of the great presentations were the ones I did not select … or were on the second day … or maybe I was hung over. Who knows. I might have seen a couple more if I could have moved around the hallways, but human gridlock and the Defcon Goon who did his Howie Long impersonation on me prevented that from happening. I am going to stick around for both days next year. All in all I had a great time. I got to catch up with 50+ friends, and meet people whose blogs I have been reading for a long time, like Dave Lewis and Paul Asadoorian. How cool is that?! Oh, and I hate graffiti, but I have to give it up for whomever wrote ‘Epic Fail’ on Charo’s picture in the garage elevator at the Riviera. I laughed halfway to the airport. Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.