- interviewAnonymous
- Part II: Questions Answered About the Book
- Part III: Questions Answered About Computers and Computer Security
- Part IV: More Questions Answered About Computers and Computer Security
Part III: Questions Answered About Computers and Computer Security
1. What is the purpose of the computer security archive that you are compiling?
Me and several associates are tying with using autonomous agents to create a system (called IntelligentsiaIT) that will make it easier for researchers to analyze security incidents and correlate possible similarities. Somewhere in all that data, we hope to find some answers about how security weaknesses evolve.
2. Who is the intended user of the security archive and is it available to the general public at this time?
Not yet. Currently, it's a research project, sponsored by...ahem...a CPA firm and a few AI enthusiasts.
3. Are difficulties for the average end user to protect himself too large when shopping in the internet without losing the inherent advantages?
I don't think so. Security continues to improve, too. By the time we're all using IPV6, users won't have to worry much.
4. Which form of e-money do you feel is the most secure?
I don't like the concept of e-money. Next, we'll be authenticating ourselves by a mark on our right hands or our forehead.
5. What would the ideal payment system look like (in a visionary kind of way)?
Well, as I related, soon, your system will identify you biometrically and the money will automatically withdraw from your accounts. Hahahaha. No man shall buy or sell lest he have the mark of the beast or the number of his name. That's where we're going, isn't it?
6. What is your vision of where the internet will be 5 years time? In 10 years time? In 20 years time?
Soon, the Net will no longer be something that you surf. Instead, it will be an engine. Smart house toilets will analyze your human waste, find that you need insulin, notify you and your doctor by email, and so on. Your refrigerator will see you need eggs and use the Net to order more. The Net will become invisible but completely pervasive, tracking and managing every aspect of your life. Your automobile will call for help when it needs oil and your mechanic will know, instantly, that you need an oil change, and so on. Which is how it should be. Why should you have to search for info? It takes forever. Autonomous agents will do nearly everything for you. At that stage, the Net will be everywhere...in cars, watches, phones, bathrooms...everywhere, but largely invisible.
7. Do you see differing security philosophies in large and small companies in Europe, North America or the so-called tiger countries?
Security awareness has heightened to the point where in the...."Holy Roman Empire" countries (EU, US, Australia, etc)...that most companies now realize that they need security. Smaller companies tend to be more concerned (naturally) with privacy. Larger companies have different concerns. One simple concern (which I see arising more now in larger firms) is liability. Many American companies now spy on their employees. They watch, for example, all email going out, to determine if employees are mailing out sensitive information to competitors. They also watch for sexual harassment in inter-office mail, and so forth. Other issues concern in-house websites and so forth. But from a purely strategic perspective, I do see evidence of a growing movement toward deception (ala Fred Cohen's Deception Toolkit). One interesting development, too, is the introduction of AI into security. I know an ex-Air Force officer currently working with a physicist and mathematician on a system that can ascertain new attacks before they ever develop a signature. (A signature, in this case, is any string or occurrence common to a particular attack). This system - which, incredibly, they're using Excel for, as I'll momentarily explain - analyzes human usage behavior, not code. And many other universities and firms are studying similar things now. Unfortunately, of course, what we're talking about here is that security has become so important that it's now beginning to invade our privacy. But yes, there are major differences. Europeans are far more concerned with privacy. Also, some Europeans class certain types of information as unlawful whereas here, we do not. Our Constitution's First Amendment is, of course, inconsistent with many restrictions overseas. Hence, America has become a sort of haven for anyone who has odd political views. Naturally, companies are fearful that this will reflect badly on them (and perhaps, invite liability). So large companies do tend to watch their employees carefully. From a purely philosophical viewpoint, however, large companies have reverted to the KISS ("Keep it simple, stupid") principle. They establish an approved application set and expect their employees to stick to it. Employees don't always do that, of course. Bu nevertheless, if even a significant percentage do, that reduces risk. But I think all companies here now have arrived at a simple conclusion: security is an ongoing process and not an end. Hence, nearly all companies are now aware of it. Unfortunately, however, many small companies just don't have the resources, time, or personnel to handle security 24/7. That means they end up buying suites from folks like NAI. Much of the time, these suites (while obviously not perfect) do handle the most serious problems. (Oh yeah...briefly, the Excel application I described above is nothing short of amazing. Each cell carries massive formulas that, when tied together, can discern suspicious from non-suspicious behavior almost 90% of the time. AI from Excel. As a Unix guy, I was skeptical, but they did it).
8. Which governments do you feel are doing the right kinds of things to promote the awareness that network security is important?
None. Well, I shouldn't say that. Our Congress, for example, recently passed (and now is prepared to have agencies enforce) regulations regarding the transmission of confidential medical data. Surprisingly, the regulations (in our Federal Register) are actually worth something. Many times, governments pass largely perfunctory measures to placate an electorate. I was shocked (and quite pleased) to find that our government - for once - wasn't snoozing on the job. In fact, the regulations are so stringent, I don't think many hospitals can comply without spending thousands (or perhaps millions). But hey....medical data should have some protection. Other governments, I cannot speak for, except that I see many governments restricting what private citizens can say on their websites. Of this, I cannot approve. If you despise Germans, Americans, Australians, Whites, Blacks, Asians, Jews, or whatever, you should have the right to say it. By driving such groups underground, governments make a cardinal mistake. Having unpopular views has always been popular and chic. You make it ten times more so when you outlaw a given position. True, the Internet - more than any other single invention - can show you that nuts are everywhere in full force. Never quicker will you realize that many of your countrymen are stark raving mad than when you join an Internet mailing list. But isn't that why SAIC loves the Net so much? Why not know who you're dealing with? The Net exposes everyone and all their ideas. It's a great intelligence tool to study the masses. Let it ride and you'll learn much. Outlaw speech and you miss the good parts. But also...and this will likely shock you....I favor privacy big time. Hence, I think that many Euro policies make sense. Here, we sell names and addresses over and over again. You subscribe to a web site for women and suddenly, your mailbox is filled with advertisements for Wolford. Now, while I think Wolford makes the best hosiery in the world, I'm a guy and don't wear panty hose. And if I didn't have women to put them to, I'd be angry. Human privacy seems to be a basic human right. If I want to live without being bombarded with advertisements, that's my right. And I don't want anyone having my medical information, either. But incredibly (because my government so often screws up), I do think that the US has finally gotten around to making some decent progress in heightening security awareness.
9. Who do you feel should carry the major responsibility for secure systems, especially when one considers that most end users are small companies or private personal users?
That's a tough question. Most small companies can't afford a full-time security staff. Usually, they rely on their system administrator. Now, we often see these zealots on USENET and the security lists talking about making government regulations about how private networks should be secured. This is patently ridiculous. It's like when Webster (of dictionary fame) wanted to impose a fine for poor English usage. (Under his rules, I'd already be bankrupt, even with my excellent editors). If I were advising a small company, I'd tell it this: invest in the people you already have. Send them to school and seminars. Your system administrators are skilled folks - and the people most like to understand security issues. Invest in them. They're good people with fine minds and a natural aptitude. Cultivate that...they're already on the payroll, after all. They're not going to cost you anywhere near as much as some outside service, and their loyalty is what you really need. Without that - and their diligence - all the outside firms in the world can't save you.
10. Can one reasonably expect the average man on the street to understand his computer in a way that gives him the ability to secure his computer? The average driver cannot repair security problems in his car, so why should the end user have to do this for his computer?
That's a good point, and a hard-to-answer question. The problem isn't users, though. It's vendors (and yeah, Microsoft, I'm talking to you, even though you're only one offender of many). Users wouldn't need to secure anything if vendors audited their code (or audited it more efficiently). The folks at OpenBSD do it with a nominal staff and a few donations ("no remote holes in four years"). Why can't larger firms - Microsoft, Sun, HP - do the same? Which is money better spent, 1-minute spots on network television or a good security code audit? You figure it out. Unfortunately, the reality is, users must find some measure of security on their own - because vendors aren't doing that great of a job. But yes....the average computer user can pick up a few books and definitely secure their system.
11. Is data free? Should data be free, e.g. what are your feelings about Napster and the music industry?
Ugh. Here, you ask a man who subsists on royalties what he thinks about Napster. Heh. No, I don't think it should be entirely free (music, that is). What's wrong with charging a few cents per download, though? I mean, take away the expensive packaging, the plastic, the jewel case, the CD, the paperwork, the credits, the distribution, the storage fees, and so on. That's what you're paying for. And when you take all that away, and divide the songs up, how much are you actually paying for each song? Probably a few cents. So why can't firms like Napster charge a few cents a song? Now, I have different views on the MPAA, words which you cannot print, I'm sure. So, some Linux knuckleheads found a way to play DVDs on Linux. I think that's great. I have a bumper sticker that addresses this issue. You likely already know what it says, so I'll leave it at that.
12. As a security expert aren't you worried that the information in the book will, in some cases, be counterproductive by giving beginners an idea of how best to go about cracking other people's computers?
No. Crackers today become hackers tomorrow who become security specialists the day after. No one does wrong the whole of their life unless they have real problems. I know Mitnik (not very well, but I know him). He's a good dude. Made some mistakes, for sure, but he's no Justin Tanner Peterson. As I once wrote in a book....if you want to learn how to crack systems, set up an intranet and do it. There's absolutely no reason to break the law (although, I've broken it often enough, just for excitement. I dunno.) I do know, though, that it's important that every system administrator know what crackers know.
13. In the long run, do you feel that the bazaar or the cathedral provide the higher security and usability for the average user?
If by that, do you mean I favor open source, yes. However, I am the farthest thing from a communist on this planet. I don't hate Bill Gates, I admire him. Someone so wily, so ruthless, so driven...how can you not admire him? But to the question....projects like OpenBSD promise much better security. Absolutely. Linux is a little shaky, though, chiefly because so many newer programmers (unfamiliar with security) contribute fine tools that have security flaws.
14. Should Microsoft be broken up?
You asked the wrong person, because I have extensive education regarding antitrust issues. I maintain precisely the same attitude as our Oliver Wendell Holmes did. "Antitrust is damned nonsense". Endless studies have found this to be true. Turns out that Rockefeller (in addition to help saving the whales as a byproduct) drove down prices so much that whale oil became a dead issue. As Judge Bork once said, antitrust statutes are anti-competitive in themselves. The free market does work. When companies like Microsoft do unpopular things (and sometimes, turn out what purists consider deficient products), competitors do emerge (e.g. Linux). Let the market work. So, no...I think Microsoft should go about its merry way without government interference (and if Linux kicks Windows' ass, them's the breaks).
15. To what extent is the threat of cyberwar and cyberterrorism a marketing tool for the military and security experts like yourself - the Y2K problem was nowhere near as bad as all the so-called experts said it would be?
Cyberwar is a legitimate but widely overblown concern. It could and probably will happen, but hey....ever had a blackout in your area? Did you die because you didn't have your computer access? The real cyberwar questions relate specifically to military equipment that relies on networking and that IS a legitimate issue. But it's always been that way. Jamming radio signals is age-old stuff. Similarly, the hawks will find a way to secure our military equipment.
16. Why is the consumer awareness for security so poor, or why do people accept insecure tools (e.g. Javascript security holes), poor implementation (e.g. Netscape's random numbers) or just plain lousy software design (e.g. various problems surrounding Microsoft products)?
Because people don't really care. Which is more important to you? Your favorite television show or your computer security? People don't realize the tremendous damage that can be done, so they don't care. (Also, corporate propaganda keeps telling people that they're safe - when they aren't.)