Parisa Tabriz is one of those Google engineers who guard the company’s technologies against malicious attack—a white-hat hacker who seeks out security holes in the internet’s most important operation. She’s also a rock climber. And these two halves of her life have more in common than you might think.
Finding your way to the top of a rock wall, she says, is a bit like finding a hole in Google’s Chrome web browser or its Gmail email service. In each case, you “sense” a path to your destination. “There are no rules,” she’ll tell you. “There is no hard and fast way of doing it.” And the more you do it, the more attuned your sense becomes. It’s no surprise that many of her colleagues inside the Google security team are also rock climbers. At places like Lake Tahoe and Red Rock Canyon, outside of Las Vegas, she has climbed with Chris Evans and Rich Cannings and other notable Google hackers.
What’s more, she explains, these are both endeavors where women can operate on equal footing with men. “Rock climbing is one of the few sports that’s fairly gender neutral,” she says. “It doesn’t rest so much on the physical strengths you were born with. It’s also about mental discipline.”
But there’s another similarity. In each case, though gender shouldn’t be an issue, it is. Most rock climbers are men, and most security researchers are men—a reflection of the larger community of computer scientists and engineers.
Tabriz is one of those prominent reminders that it doesn’t have to be this way. She discovered information security as an undergraduate at the University of Illinois at Urbana-Champaign, through a student-run group called SIGMil. She soon accepted a summer internship with Google’s core security team, working at company headquarters in Mountain View, California. And after joining the team full-time in 2007, she was tapped to run a team of security engineers who focus solely on the company’s Chrome browser and Chrome operating systems, centerpieces of its online future.
Her business card notwithstanding—it reads “Security Princess”—neither she nor her colleagues dwell on gender when discussing the evolution of her career. “Whether you were a man or a woman or whatever, it was difficult,” says fellow SIGMil alum Chris Grier of the hacking tests—yes, hacking tests—that guarded the way to the groups’s Friday night meetings at UCIC. Tabriz is a hacker first. Yet, like so many others, she bemoans that relatively few women work in security—or across the larger tech world. As she indicates, a 2012 National Science Board study that shows that female participation in computer science has declined to 18 percent from a peak of 37 percent peak in the mid-1980s. She also acknowledges that part of the problem is that our wider culture implicitly discourages young women from entering the field. Female role models can be hard to find. But she’s helping to change that.
Back to Her Roots
Earlier this month, Tabriz told her story on stage at the Crown Theater in Las Vegas, standing beneath a giant disco ball. Tucked inside the Rio Hotel casino, the Crown normally hosts the magic-and-comedy act Penn and Teller, but this year, it was also home to r00tz, the hacking conference for kids.
You can think of r00tz as a spin-off of Def Con, the annual hardcore hacker gathering, also held at the Rio. As an intern at Google, Tabriz would roadtrip with colleagues and friends to Def Con each summer, but that was long before the arrival of r00tz, a wonderfully eclectic affair for the children of Def Con attendees. When she first heard about the conference this spring, she volunteered to speak on stage and teach the kids a few tricks of the trade.
As Tabriz spoke, the kids sat at the cocktail tables, spread out across the theater. Some were boys and others were girls, including Summer, Maggie, and Ivy Young, three sisters from New Hampshire whose father has long worked in security. Dressed in black a T-shirt, black pants, and a studded belt, the 31-year-old Tabriz told them all that she first caught the hacking bug in college. She was teaching herself web design, using the once popular online service Angelfire to build website after website, but there was a problem. As a college student with little disposable income, she was stuck with the free version of the service, and she didn’t like the banner ads it fed onto her pages. So she hacked the service and found a way to remove them. “It gave me control of my canvas,” she said.
Angelfire would then change its service, to combat such workarounds. And then Tabriz would find another way of blocking the ads. “I liked the challenge of that,” she told her audience. “That’s how I got into computer security.”
Soon, she was attending SIGMil meetings in the basement of the UIUC computer science building, meetings only held on Friday nights—a way of discouraging dilettantes from joining the group. The group was steeped in the minutiae of computer security, but it was Tabriz who introduced them to the techniques of web hacking—still a relatively new field in those days. Grier, now a computer security researcher at the University of California and one of many SIGMil alum who have gone onto bigger things in the security world, remembers Tabriz explaining the ins and out of cross-site scripting and cross-site request forgery, techniques so well known today as fundamental ways of attacking a website.
She helped them learn the Diffie-Hellman cryptographic key exchange with water and food coloring.
As she told her story at the Crown—the disco ball spreading little bits of blue light across the stage—she asked questions of her audience and tossed electronic blinking yo-yos to those who answered. Then, following her speech, at a handful of the cocktail tables at the back of the theater, she and other Google hackers used a few makeshift games to teach the kids the some of the basics of security. She taught them the classic Caesar Cipher with two spinning wheels cut from sheets of paper, and she helped them learn the Diffie-Hellman cryptographic key exchange with water and food coloring.
Eight-year-old Maggie Young certainly enjoyed the games—not mention the free Chromebook she received, one of 300 Google laptops that Tabriz arranged to be distributed at the conference. “It’s awesome and cool and really nice,” Young told us, sporting a pink faux-hawk, after getting her head semi-shaved as part of MohawkCon, another Def Con activity that raises money for various hacker and privacy groups. And although she may not realize it, she and her two sisters, Ivy and Summer, received a much subtler and perhaps larger gift: a role model.
If they don’t understand the impact this can have, their mother, Cynthia, certainly does. Def Con, which her husband attends each year, was traditionally an event filled mostly by men, who kept a kind of strangle hold on its mohawks-and-geek-T-shirt culture. But women hackers are now more prevalent than in years past. “There are some incredible smart women who are hackers,” Young told us, before motioning to her daughters. “They need to be exposed to that.”
‘Ignorance Is Dangerous’
It’s a natural fit for Tabriz. At Google, she is, among many other things, a teacher—one of the driving forces behind a program to teach all of Google’s engineers how to eliminate bugs in their code before they happen. The program is called “Resident Hackers.” Rather than just explaining the intricacies of web security to Google engineers with PowerPoint slides or white papers, Tabriz and her team show them how to find and exploit security bugs. Basically, she teaches them how to attack websites, so that they’ll then know how to build them with the proper defenses.
“The common wisdom you hear from security people is that you can’t really doing anything useful with user education, that developers just don’t want to learn about security…But Parisa questioned the wisdom of this,” says Michael Zalewski, another noted security engineer at the co,pany “Parisa tried to challenge that line of thinking and tried to come up with creative approaches to user educaiton that really scale and really help a company the size of Google, and the interesting thing is that she succeeded.”
Some question the wisdom of teaching the same sort of thing to children, arguing that you’ll teach them to do as much harm as good. But for Tabriz—and practically anyone else in the security community—the argument is a non-starter. Information, she says, is a good thing. You have to trust that people will use it for good.
Others question the wisdom of calling attention to the tech gender gap, arguing that this merely exacerbates the problem. But Tabriz doesn’t buy this either. “Just the fact that people are talking about it is a good sign,” she says, pointing out that tech companies and other organizations are now addressing the problem head-on. “Some people don’t want to hear about bad things because they’re scary, but ignorance is dangerous.”
As Cythina Young points out, Def Con is still predominantly men. But that’s something she will openly discuss with her daughters. As Tabriz explains, this is a bit like the modern approach to information security. In the past, many tech companies discouraged news reporters from disclosing bugs in their software and services. But now, led by Google, it’s common for companies to run bounty programs where they actively encourage people to find and reveal bugs. “We used to ignore that bugs exist, pretending that they would just go away,” she says. “Now, we recognize not only that our software has bugs, but that we need help from the larger community to patch them.”
No comments:
Post a Comment