Interview with Eugene Spafford

scubacuda writes "Dr. Eugene 'Spaf' Spafford, security expert and professor of Computer Science at Purdue University, talks with Greplaw about what drove him to the computer security field, what it's like to testify before the White House and Congressional committees on information security and public policy, and how legislating technology is 'bad law.' For you budding legal geeks interested in forensics, technology, law, and ethics, Spaf has provided a reading list."

This guy rocks

[PissingInTheWind]

I saw him recently in a conference. He talked about how we all need as americans to make sure we know how to stand in the menace of the actual "orwellian" (his words) government policies.

He sure knows his stuff and is a great source of inspiration for all of us.

not impressed.

Ah, Spafford. The guy who said RTM should be jailed for an accident with a worm - what a nice guy. NOT.

Before giving this guy big hugs and kisses think about what he stands for. Sure, he has a book or two published, by O'Reilly no less. But he's the kind of guy who believes in DRM, DMCA, inflated estimates of "damages" in hacker cases and jail for anyone who so much as sniffs the wrong port. In short a net.nazi.

The interviewer wasn't listening

[ObviousGuy]

It's great how the interviewer opens up the topic of virii and Spafford replies quite clearly that virii are not things he studies and that he can give references to other experts if the interviewer so wishes. Then the interviewer just plows ahead trying to make out like virii are the key problem in computer security.

At least Spafford was a good sport and continued doing his best to try to bring all of the subsequent virus questions back into the umbrella of computer security.

architectural differences?

[Frisky070802]

I'm curious about Spaf's comment that the prevalence of worms on Windows is due to architectural differences rather than market share. Is there proof of this? Certainly people write worms/virii for Windows because it's easier, but also because it's so much easier to hit critical mass.

It's also worth noting that of the 3 UNIX worms he mentions, one, the RTM worm, hit long before it was fashionable to spread things in Windows. The architecture not only permitted it, the holes had been around for ages.

Interesting that Spaf said RTM should be jailed for unleashing that worm. If he had been, would he be an MIT professor now?

Re:architectural differences?

[zcat_NZ]

I'm curious about Spaf's comment that the prevalence of worms on Windows is due to architectural differences rather than market share. Is there proof of this? Certainly people write worms/virii for Windows because it's easier, but also because it's so much easier to hit critical mass.

A year ago, I would have agreed with this point of view. Internet Explorer, Outlook Express, IIS, and Windows itself were crawling with major security issues that different worms and viruses could exploit.

Now days, viruses are starting to arrive as a zipped, passworded attachment, replying entirely on social engineering tricks to fool the user into running the virus.

If Linux were the predominant desktop operating system, I think these viruses would still be arriving, as gpg-encrypted rpm's or tarballs, and the same users would still be fooled into installing them with root priviledges.

Re:architectural differences?

[zcat_NZ]

Allow me to respond to myself;

The problem is no longer with the Operating System itself. The problem is that most users care far too little about how the operating system works, and are much too trusting.

Say, for example, that you came back to your car one day, and there was the following note on the windshield.

"Helpful advice from another motorist; your engine has become clogged with a black, sticky residue which may be slowing it down. You can remove a plug from the bottom of the motor and drain this gooey stuff out, and your car will run so much better. Pass this advice on to everyone you know"

Most people would know enough about their car to recognise that this is not good advice, yet they will happily install 'updates', submit banking details to suspicious websites, or delete arbritrary files out of /windows/system32 with barely a thought.

See what I mean?

Re:architectural differences?

[Frisky070802]

A funny anecdote for you here....

I was working on the Sprite project at Berkeley at the time the worm hit. Sprite was largely UNIX-compatible, but at the source level, not binaries. So we saw evidence that one aspect of the system had been compatible enough to be attacked, with a certain file in /tmp that was evidence of worm activity, but it never actually got in because other things were different enough. Let's hear it for genetic mutations....

While others were cheering that it hadn't been compatible enough to be effectively attacked, I was the one who'd done most of the UNIX compatibility, and my thought was "wow, we were compatible enough for it to get in and write tmp files! Cool!" :)

Spaf... hacked .. ????

[OneArmedMan]

I really dont know anything about Spaf, but i think that i read somewhere once, that back in the day ( late 80's early 90's ) his personal machine at MIT or Purdue or where ever he was at the time got hacked fairly badly ..

anyone have any memories of this ??

or am i just have a bad Acid Flash back .. ???

Re:Spaf... hacked .. ????

[aspeer]

There was a documentary on ABC (Australian Broadcasting Corporation) TV about two early Australian hackers/crackers, Electron and Phoenix. It was called "Breaking into The Realm".

You can read an article/review about it here in the Melbourne Age. Eugene Spafford was interviewed in the documentary, and was a target of the above-mentioned hackers.

I will use the term hacker from now on, but you can substitute the term cracker if you think it is the more "correct" term.

My recollection of the documentary says that one of the hackers did claim to compromise one of Eugene Spafford's machines, albeit briefly. I cannot recall if Eugene Spafford confirmed this in the interview, but I doubt it (his confirmation, that is).

Whilst it is impossible to verify what was claimed by the hackers the tone in which it was told was not "boastful", and given the other systems that they were convicted of getting into (NASA etc), it does not seem fanciful that they did indeed compromise his machione for a short period of time - which does kind of go against what he claims in the article.

In terms of the documentary, it was excellent viewing. It did not appear sensationalised or biased, and laid out the people and (sometimes) the motives behind some of these early attacks. Recommended viewing, if you can find it.

Interesting Read

[value_added]

Overall, an article worth reading. Two things I found worth noting. First, the "false convenience" metaphor in

"So long as false convenience and poor design are more important to the average user than security and safety then we are going to have problems."

I thought was an excellent way to characterise the arguments often raised when such things as user education, simple point-and-click interfaces, administration costs, etc. are the topics of discussion. Also, when asked,

" What is your preferred platform-Wintel, Linux, MacOS, or....? "

the response is notably diplomatic:

"It depends on the application need. No one system (or language or database or...) is ideal for every use. I'm a big believer in using the right tools for the right jobs."

but then goes on to mention:

• primary system - Mac OS X (owns 5 Macs)
• mail and file server - Solaris on a Sun box
• laptop - OpenBSD
• tablet PC - Windows

I always enjoyed his lectures

[frinkster]

He's quite the story teller and can relate one to almost every security issue there is. His class was the kind where you almost didn't realize you were learning until it was too late - the final comes and you ask yourself how you learned all the answers.

It was even interesting to see who he lined up as a guest lecturer each time he had to fly to Washington to brief the Government on something. They all had some weird story about security lapses somewhere important.

True Story

[CajunArson]

It's boring but what the hell....
I graduated from Purdue undergrad ECE in '02 and with the job market the way it was back then I knew I'd go to grad school. I had picked up a big interest in infosec my last year there so I emailed Spaf about opportunities in grad school. As soon as he found out I was a lowly Computer Engineer he basically said I shouldn't bother.
So I ended up at Carnegie Mellon instead, and I just finished my MS in Information Networking with a focus on security, I even got to write a Mandatory Access Control system for Linux for my thesis.... Hey Gene? Am I up good enough to be a grad student now?

Re:True Story

[harikiri]

I felt a similar attitude when I was looking into Centre for Computer Security Research at University of Wollongong. Back then instead of actually studying, I was porting Route's Trusted Path Execution patch for Linux (and I think OpenBSD) across to FreeBSD and learning how to program with the openssl libraries.

I ended up dropping out of university and moving into the computer security industry full time, and haven't looked back since. Off and on, I've had to write some code for a work-related project, but not that often (usually use commerical security solutions).

I suspect some of these security guys who have been around a long time, whether they know it or not - develop an ivory tower complex. Nobody knows how to do anything better than they can, because they've seen it all - or you have to prove yourself by being an honours student or something.

Bah! I say... I'm making more money than you smelly students anyway! ;-)