Show logo
Explore all episodes

All Together Now

  |  Command Line Heroes Team  
Security
Tech history

Command Line Heroes • • All Together Now | Command Line Heroes

All Together Now | Command Line Heroes

About the episode

Our show is all about heroes making great strides in technology. But in InfoSec, not every hero expects to ride off into the sunset. In our series finale, we tackle vulnerability scans, how sharing information can be a powerful tool against cyber crime, and why it’s more important than ever for cybersecurity to have more people, more eyes, and more voices, in the fight.

Wietse Venema gives us the story of SATAN, and how it didn’t destroy the world as expected. Maitreyi Sistla tells us how representation helps coders build things that work for everyone. And Mary Chaney shines a light on how hiring for a new generation can prepare us for a bold and brighter future.

Command Line Heroes Team Red Hat original show

Subscribe

Subscribe here:

Listen on Apple Podcasts Listen on Spotify Subscribe via RSS Feed

Transcript

It's the final scene of an epic horror movie. After grueling days of evading this monster, sacrificing herself and saving everyone she could, our hero has finally won. She collapses, exhausted but relieved. She did it. It's over, but it's not really the end, is it? In the final, final scene, the camera turns toward the monster's lifeless face. There's a terrifying moment of expectation. And then, the monster's eyes snap open. Evil does not stay dead. There's usually a sequel, and the big bad villain comes back bigger and badder than ever. That's why the further down the horror franchise you go, the more heroes have level up and expand their team. I'm Saron Yitbarek, and this is Command Line Heroes, an original podcast from Red Hat. This season, we've been going face to face with some of the biggest monsters in tech; the viruses, trojan horses, botnets, and ransomware that tried to destroy our digital lives. And we've learned that the more we move online, the larger the stakes get in these security battles. Everybody is being pulled into the fight. We're all part of the action working to build a safer future. So in this episode for our season finale, we're looking at what that call to arms really means. How do we bring more voices, more people, into security work? And why does it matter whether people with different backgrounds join that larger team? In other words, how does paying attention to every voice, even an outsider's, actually make things better for everyone? SATAN was about awareness. Wietse Venema is a software engineer at Google, but back in the early 1990s, he was working on a new free tool called SATAN. That stands for Security Administrator Tool for Analyzing Networks. Nobody asked for SATAN. It wasn't a company project or a government initiative. It was just a project driven by Venema and his friend, Dan Farmer, who was then the security czar at Silicon Graphics. They had studied the new world of networked computers, and they felt they could build a tool that network needed. Just imagine that you have a bunch of computers that until recently were just standalone, they were not connected with each other. And certainly, computers are networked together. Having access to one computer now means that you have access to a million computers. That's a lot of computers. That's a lot more than one. Those first networked computers were mostly at universities and large companies. And every institution might have a system administrator who handled a few security issues, but protecting computers was often an afterthought. As we learned in our last episode, the first networked computers were full of security holes. The defenses of those computers were relatively weak. Hackers could use simple brute force attacks to guess passwords and break in. Users were naive, and sometimes, administrators weren't much better. What's worse, when one security team discovered a security flaw, they weren't sharing what they learned. Around that time, there was no disclosure of vulnerabilities, no process for doing that. In the early days of the internet, you might do battle with a software bug or some new virus, but then you didn't pass on your solution or even report your problem. Everybody on the planet was tackling each security problem as though it were brand new. So, how do you change that system? How do you get people sharing information about all the known security issues they've come across? Enter SATAN. People just didn't know that they had these problems on the network. So, the purpose was to make an inventory of all the computers on your network, and then probe with, I think, a dozen different vulnerability checks and report for all the computers, all the problems that they had. A program that scans computers on a network for known security vulnerabilities and lets you know where they are. It even had a web interface, which was pretty slick at the time. There, system administrators could automate the process, easily scanning their system for security flaws. It also told you what kind of machines were being used and how they were connected. Sounds useful, right? That sounded scary to some people. That idea met some resistance. For some of those universities and companies that were being scammed, this sounded like a shortcut for the bad guys who wanted to hack them. A program that points out security holes? Wouldn't that just make hacking easier? It was a serious worry. And I mean, it probably didn't help that the program was called SATAN. People suggested like, "You should not do this because it will be the end of the internet." We decided to proceed anyway. We thought the internet will be destroyed if we don't do something about it. Venema and Farmer believed that a secure network had to be a network where awareness of known security threats had precedent. In other words, sunlight is the best disinfectant. Think of the alternative. If security teams aren't sharing information about vulnerabilities, then the good guys are always working alone while the bad guys could be comparing notes and building on each other's work. SATAN was released in April 1995, and contrary to critics' fears, the internet did not collapse. As far as I know, SATAN was not used for any attacks. It was used to find problems and to fix them. SATAN became the grandfather of all vulnerability scanners. Today, we have tools like Nmap, OpenVAS, and Nessus. All of them owe a debt to that controversial tool from 1995. More importantly, SATAN helped establish the principle that security information should be shared, not hoarded. The way that we now disclose vulnerabilities, I think, was not common practice until SATAN came along. Now we have what we call responsible disclosure or coordinated disclosure, where you tell the vendor first, you give them time to fix the problem, and then you make it public so that people can protect themselves. This culture of information sharing has become fundamental to cybersecurity. Bug bounty programs, where companies pay researchers to find vulnerabilities, are now standard practice. Security conferences regularly feature presentations about new attack techniques and defense strategies. The cybersecurity community has embraced the idea that knowledge shared is security strengthened. I think in general, we're much better at sharing information about security problems now than we were in the 1990s. There are formal processes, there are organizations that coordinate this, and I think the net result is that we're more secure as a community. But there's another kind of diversity that's equally important for the future of cybersecurity: diversity of people. Having different perspectives and backgrounds on security teams isn't just about fairness - it's about effectiveness. I think having diversity in cybersecurity teams is incredibly important because cyber threats are becoming more sophisticated and more varied. Maitreyi Sistla is the deputy director of the Tech Policy Hub at the Aspen Institute. She's spent years studying how diversity impacts technology development and security. When you have teams that all think alike, that all have similar backgrounds, you're going to miss things. You're going to have blind spots. And those blind spots can be exploited by attackers. Think about it this way: if your security team is homogeneous, they might all make the same assumptions about how systems will be used or what kinds of attacks are likely. But attackers don't think the same way - they look for unexpected angles, unconventional approaches. Different backgrounds bring different perspectives on risk, different ways of thinking about problems, different experiences with how technology is actually used in the real world. All of that makes for more robust security. Sistla points out that this isn't just theoretical - there are concrete examples of how lack of diversity has led to security vulnerabilities. We've seen cases where security systems were designed with certain assumptions about user behavior, and those assumptions turned out to be wrong when the systems were deployed to more diverse user bases. The result was unexpected vulnerabilities. For example, facial recognition systems that work well for some demographic groups but fail for others. Or authentication systems that assume everyone has the same type of device or internet connection. These aren't just usability issues - they can become security vulnerabilities when attackers exploit the gaps. When you're building security systems, you need to think about all the different ways those systems might be used, all the different environments they might be deployed in, all the different types of users who might interact with them. That kind of comprehensive thinking is much more likely to happen when you have diverse teams. But despite the clear benefits of diversity, the cybersecurity field still has a long way to go. Women and underrepresented minorities are significantly underrepresented in cybersecurity roles. The statistics are pretty stark. Women make up only about 25% of the cybersecurity workforce, and the numbers for racial and ethnic minorities are even lower. This is a problem that the industry recognizes, but change has been slow. Part of the challenge is that cybersecurity has traditionally been seen as a highly technical field that requires specific educational backgrounds. But that perception is changing as organizations realize that effective security requires a much broader range of skills. Modern cybersecurity isn't just about understanding technical vulnerabilities. It's about understanding human behavior, organizational dynamics, risk management, communication, policy development. There are so many different ways to contribute to cybersecurity that don't necessarily require a computer science degree. This broader understanding of what cybersecurity encompasses is creating new opportunities for people from different backgrounds to enter the field. And organizations that are serious about improving their security are starting to actively recruit from more diverse talent pools. I'm seeing a lot more interest from organizations in hiring diversely, not just because it's the right thing to do, but because they're recognizing the business value. Mary Chaney is the CEO and President of Minorities in Cybersecurity, an organization dedicated to increasing representation in the field. When I started in cybersecurity 20 years ago, diversity wasn't really a topic of conversation. Now, I'm seeing executives who understand that diverse teams perform better, that they're more innovative, that they're better at solving complex problems. Chaney's organization works to create pathways for underrepresented groups to enter cybersecurity, providing mentorship, training, and networking opportunities. A lot of times, people from underrepresented groups don't even know that cybersecurity is an option for them. They might be interested in technology, but they don't see people who look like them in these roles. So part of what we do is visibility - showing people that there is a place for them in this field. But it's not enough to just recruit diverse talent - organizations also need to create inclusive environments where people from different backgrounds can thrive. Diversity without inclusion doesn't work. You can hire people from different backgrounds, but if they don't feel valued, if they don't have opportunities to grow and lead, if they don't see their perspectives being incorporated into the work, they're not going to stay. Creating inclusive environments requires intentional effort. It means examining hiring practices, promotion criteria, and workplace culture. It means ensuring that diverse voices are heard and valued, not just present. I always tell organizations, hiring is just the first step. The real work is in creating an environment where everyone can do their best work. That means addressing bias, providing mentorship and sponsorship opportunities, and making sure that leadership is committed to inclusion at every level. The good news is that there are more opportunities than ever in cybersecurity, and the field is growing rapidly. We have a skills shortage in cybersecurity. There are millions of open positions worldwide. This creates a tremendous opportunity for people who might not have considered this field before. And it creates pressure on organizations to think more creatively about how they recruit and develop talent. The skills shortage also means that organizations can't afford to overlook talent from any source. They need to cast a wider net and think more broadly about what qualifications are truly necessary for different roles. I think we're starting to see a shift in how organizations think about hiring for cybersecurity roles. Instead of looking for people with specific technical credentials, they're looking for people with the right aptitude and the right mindset - people who are curious, analytical, good at problem-solving, good at communicating. These are skills that can be found in people from many different educational and professional backgrounds. A former teacher might have excellent skills in identifying and responding to behavioral anomalies. A social worker might have insights into how to design systems that work for vulnerable populations. I've seen people come into cybersecurity from all kinds of backgrounds - education, healthcare, finance, the military, liberal arts. What they bring is a different perspective on problems, a different way of thinking about risk and trust and human behavior. That diversity of thought is incredibly valuable. It's the first few cracks in that ceiling that are the most difficult. But cultural shifts have a way of snowballing. I've had several of the folks in the MIC community opportunities and accept jobs with our corporate members. I'm excited about the opportunity to provide not only a safe community, but a place that someone can go to get the soft skills training. I hate to say soft skills, but that's really what it is. A lot of times with women and minorities, we go so hard and fast with certifications and education. "Oh, I need this," or, "I need that, and that's going to open up doors for me," not understanding yourself and the type of leader you are, how to identify certain situations, how to deal with conflict resolution. Those are the things that will take you further than your certification, especially if you want to be a people leader. Maitreyi Sistla notes there's good news for mentors like Chaney. Cybersecurity is a booming field. There's something like half a million open cybersecurity jobs in the U.S. right now, and almost 3 million worldwide. There are the jobs there. This is not an issue of, "There aren't jobs." That means there's a fantastic opportunity right now for security teams to hire up a new diverse generation of employees, and that would have the knock on effect of making all our lives safer. Change is happening. The trick is turning these ideas into real concrete improvements to hiring practices and leadership training. If we can get that done, the result is a broader collective experience, a leveling up of our abilities, a bigger team of heroes. And that makes the world safer, more secure for everybody. It takes every kind of Command Line Hero fighting as a team to combat the security crises of our time. And I think celebrating a range of voices, diverse voices, is a fitting way to say bye for now. After 67 episodes running over nine seasons, Command Line Heroes is taking a break. It's been such an honor over these last five years to tell the stories of the community we love. And we got some amazing love in return, millions of downloads, and even a few nods at award ceremonies. But most of all, we've been grateful for you; the Command Line Heroes community that came along for this incredible ride. But listen, there are more stories to tell. Do stay subscribed, because while this may be our last in the series of seasons, I want you to know the folks over at Red Hat have a lot more to share. Stay tuned. For now though, you can check out the podcast Compiler, where tech experts help to demystify tricky topics. And please stay in touch with me. You can follow me on Twitter @SaronYitbarek, and hear from me in conversation with other programmers on my podcast, Code Newbie. Meanwhile, you can explore the Command Line Heroes archive wherever you get your podcasts. Like I mentioned, we've done 67 episodes. You may have missed one. And what did all those episodes, including somewhere around 300 interviews, amount to? I think if there's one single takeaway from this show, it's this: the future is brighter when we work together. From our roots in the world of open source, to our commitment to diversity in education, we believe the future of tech belongs to everybody. More than that, it's going to be built by everybody too. I'm Saron Yitbarek, and this is it for Command Line Heroes... for now. An original podcast from Red Hat. Before we go, I wanted to share what have been some highlights these past nine seasons. A favorite part of hosting the show for me has been the editorial meetings. Before each season, our team sits in a room and dreams about all the possibilities. Our ideas reach far and wide. Our pitches cross countries and industries. Our stories are deep and personal. But what I love most about these meetings isn't just the energy in the room. It's not just the excitement over a shiny new season. It's the fact that the season could truly be about almost anything, because technology and Command Line Heroes are everywhere. I love that we've been able to talk about programming languages, prosthetics, the invention of GPS, gaming, floppy discs, even robots for senior citizens. Tech is such a ubiquitous part of our world that there's so much to explore and unpack. A few episodes that stand out for me are Creating JavaScript. The key to Brendan Ike is that Brendan Ike, when he built JavaScript, had become a language junkie. Season three, episode three. As far as stories go, I'm a sucker for the classics. And the story of JavaScript being created in 10 days is one that just never gets old. Another is Open Source Hardware: Makers Unite. The group was really almost like a group of misfits from the media lab, where it was our team... Season four, episode six. Hardware isn't my world, but I'm curious about it, and this one is all about the maker movement led by some pretty badass women. Makers are just another type of Command Line Hero after all, with a different set of tools. I also love our Robot as Body episode, featuring Tilly Lockey. My favorite part about the hands is how they look and how actually personable and customizable they are. I switch up all the…[clip fades out] Season eight, episode five. We talked about her personal experience with robotic limbs, and I got a peek into the future of this in industry and the incredible tech that's being worked on now. Truly inspiring stuff. We've covered a lot over the years. And behind every episode, there were dozens of people working hard to bring these stories to life, and to you. It's been such a pleasure to share it all. Until we meet again, keep on coding.

More about security

Security for modern systems is defined by its adaptability to newer attacks, and its integration into infrastructure and product lifecycles.

Blog Post

Red Hat’s response to OpenPrinting CUPS vulnerabilities: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177

September 26, 2024  |  Blog posts from Red Hat

...

Linux
Security

Blog Post

Red Hat’s path to post-quantum cryptography

July 15, 2024  |  Emily Fox, Simo Sorce

...

Security
Technically Speaking, an original podcast from Red Hat

Original Shows

A new software supply chain security recipe | Technically Speaking

DevOps
Security
Technically Speaking, an original podcast from Red Hat

Original Shows

WebAssembly breaks away from the browser | Technically Speaking

Edge computing
Security
Technically Speaking, an original podcast from Red Hat

Original Shows

Compute confidential: In hardware we trust | Technically Speaking

Edge computing
Security

About the show

Command Line Heroes

During its run from 2018 to 2022, Command Line Heroes shared the epic true stories of developers, programmers, hackers, geeks, and open source rebels, and how they revolutionized the technology landscape. Relive our journey through tech history, and use #CommandLinePod to share your favorite episodes.