Interview with Eugene Spafford

scubacuda writes "Dr. Eugene 'Spaf' Spafford, security expert and professor of Computer Science at Purdue University, talks with Greplaw about what drove him to the computer security field, what it's like to testify before the White House and Congressional committees on information security and public policy, and how legislating technology is 'bad law.' For you budding legal geeks interested in forensics, technology, law, and ethics, Spaf has provided a reading list."

CERIAS

[newdamage]

For those of you interested, CERIAS is actually a pretty impressive research group. One of the PhD students is teaching our cs426 class right now, and it's one of the few CS classes I've taken where I'm actually learning practical knowledge about computer security.

Go Boilers!

Re:not impressed.

[Ogrez]

In reading your post, it becomes obvious that you dont have any clue what your talking about, I will give you a brief portion of his testimoney before congress on July 24th 2003.

More recently, provisions of the Digital Millennium Copyright Act (DMCA) have led to faculty being threatened with lawsuits for publishing their security research, and some faculty (Fred Cohen and myself included) have decided to curtail or stop our research in some areas of security because of the potential for us to be arrested or sued. This is particularly true in the area of software threats -- the very same tools and techniques necessary to reverse-engineer and protect against malicious software are seen as a threat by many in the entertainment and content provision industries. Legislation against technology instead of against infringing behavior can only hurt our progress in securing the infrastructure.

Bonus Spafford interview

[securitas]

scubaduba, interesting interview. I see some of the same themes that he's talked about in the past. He is quite concerned about the effects of technology on the average person which he discusses in some detail in the interview linked below.

Here's an interview with Eugene Spafford in two parts that outlines a lot of the issues that he's concerned with. It provides some background and insights into his thinking. I found his views on the purpose of security technology especially interesting and somewhat unexpected. The same goes for his indirect criticism of Microsoft, which speaks to his comment in the Greplaw interview about 'using the right tools for the right jobs.'

Description courtesy of Bruce Schneier's Crypto-gram:

Long and interesting interview with Gene Spafford, about the infosec threat landscape; privacy; the challenges of digital certificates, CRLs, public key infrastructure standards and interoperability; key escrow, backup and recovery; identity fraud; trust on the Internet; and the problems of security education today. Sample quote: "Security doesn't work as an add-on. It really needs to be built-in from the beginning."

Re:Interesting Read

[Chuu]

About the tablet PC, every CS professor at Purdue University got a free tablet PC from microsoft, as well as a donation of enough for a class dedicated to table pc applications (more info : http://www.cs.purdue.edu/homes/cmh/490T/). I believe microsoft also donated a couple hundred (!) PocketPC's for Purdue's e-stadium project. I wouldn't read too much into the fact he owns a tablet.

Re:The interviewer wasn't listening

[scubacuda]

"Plowed ahead."

Good call. I sent him a list of the questions several months ago and he just returned them the other day.

When I saw the direction he took it at the beginning, I considered adding/editing/rewording my original list of questions to fall under that umbrella. For better or worse (perhaps worse) I went ahead and published what I had.

Pontification

[metamatic]

Speaking of Spaf pontificating loudly, don't forget to read the "Farewell To Usenet" message he posted back in 1993, defining that it was the end of an era for Usenet because he was bored with it.