Slashdot Mirror
Interview with Eugene Spafford
scubacuda writes "Dr. Eugene 'Spaf' Spafford, security expert and professor of Computer Science at Purdue University, talks with Greplaw about what drove him to the computer security field, what it's like to testify before the White House and Congressional committees on information security and public policy, and how legislating technology is 'bad law.' For you budding legal geeks interested in forensics, technology, law, and ethics, Spaf has provided a reading list."
I saw him recently in a conference. He talked about how we all need as americans to make sure we know how to stand in the menace of the actual "orwellian" (his words) government policies.
He sure knows his stuff and is a great source of inspiration for all of us.
A message from the system administrator: 'I've upped my priority. Now up yours.'
Define "like."
True story.
It's great how the interviewer opens up the topic of virii and Spafford replies quite clearly that virii are not things he studies and that he can give references to other experts if the interviewer so wishes. Then the interviewer just plows ahead trying to make out like virii are the key problem in computer security.
At least Spafford was a good sport and continued doing his best to try to bring all of the subsequent virus questions back into the umbrella of computer security.
I have been pwned because my
Technology typically finds its own solutions to problems, which makes many laws incredible nuisances, stifling innovation.
I think he is good for the same reason. Hackers, in the cracker sense do deserve large amounts of jail time. If you steal a CD, your fined more than the $30 retail value. You contribute to the worms and viruses which ruin many new computer users internet experiences, take down websites, etc. you deserve big time and fines.
Help Fight SPAM today!
It's also worth noting that of the 3 UNIX worms he mentions, one, the RTM worm, hit long before it was fashionable to spread things in Windows. The architecture not only permitted it, the holes had been around for ages.
Interesting that Spaf said RTM should be jailed for unleashing that worm. If he had been, would he be an MIT professor now?
Mencken had it right. So glad that's old news.
If he's so smart, why couldn't he think up a better nickname? I rest my case.
Take it from me, he isn't like that, and yes I had him guest lecture in my Ethics in Computing (PHIL 590?) class so don't say I don't know what the hell I'm talking about; unfortunately he hasn't taught CS426 in a long time :(
MA, CL50, University or BEER :) ?
I really dont know anything about Spaf, but i think that i read somewhere once, that back in the day ( late 80's early 90's ) his personal machine at MIT or Purdue or where ever he was at the time got hacked fairly badly ..
.. ???
anyone have any memories of this ??
or am i just have a bad Acid Flash back
For those of you interested, CERIAS is actually a pretty impressive research group. One of the PhD students is teaching our cs426 class right now, and it's one of the few CS classes I've taken where I'm actually learning practical knowledge about computer security.
Go Boilers!
ce n'est pas un Sig.
Overall, an article worth reading. Two things I found worth noting. First, the "false convenience" metaphor in
I thought was an excellent way to characterise the arguments often raised when such things as user education, simple point-and-click interfaces, administration costs, etc. are the topics of discussion. Also, when asked, the response is notably diplomatic: but then goes on to mention:In reading your post, it becomes obvious that you dont have any clue what your talking about, I will give you a brief portion of his testimoney before congress on July 24th 2003.
More recently, provisions of the Digital Millennium Copyright Act (DMCA) have led to faculty being threatened with lawsuits for publishing their security research, and some faculty (Fred Cohen and myself included) have decided to curtail or stop our research in some areas of security because of the potential for us to be arrested or sued. This is particularly true in the area of software threats -- the very same tools and techniques necessary to reverse-engineer and protect against malicious software are seen as a threat by many in the entertainment and content provision industries. Legislation against technology instead of against infringing behavior can only hurt our progress in securing the infrastructure.
Fire in the hands of the village idiot is no tool, but a weapon of mass destruction
rot13
"If you think you have things under control, you're not going fast enough." --Mario Andretti
Don't forget about their mirrors for many linux distros and NTP servers!
Nothing like having a NTP server less than 10 miles away!
Great! Now I can find all the tech law websites I want with one simple command:
cat internet | egrep -i gr[:vowel:][:explosive\ consonant:]law
Which reminds me, I really wish multi-character atoms would work with reg-ex. The spec calls for them, but they haven't worked in any implementation I've used.
yeah it's BRNG fool
Only requirement for good karma: be pedantic as much and as often as possible.
You're completely off-base re: his feelings about DMCA and DRM. Spaf has expressed numerous times publically and around the office that he does not agree with current legislation related to fair use, and especially where it limits legitimate research.
Spaf is an incredibly nice, easy-going guy who actively encourages open-mindedness and responsible exploration. Anyone who spends 5 minutes with the guy would realize that.
The second floor offices aren't so bad -- I'm glad we don't have to be up on the fourth floor. Those history grad students are scary.
Wow, people use the NTP servers? The sysadmins will be glad to know that all of the bs they've had to deal with getting the new ones up hasn't been in vain.
You mean LAEB :)
Moderators, at least have a cursory R of TFA before modding this crap up. This guy is either trolling or he's smoking crack (or both). His post bears no resemblance to reality.
The problems that I see arising are when people like Spaf have a significant influence on the maturation of the computer crime field. This, from a practitioner's point of view, is frustrating as people such as Spaf have rarely left their offices and campuses, have little to no experience (in comparison), and often pontificate loudly.
I know how little they are actually doing up at CERIAS in regards to forensic analysis. They have 1 guy working on research, and another guy who releases tools that have an interface that sucks like a cheap whore. Again, they have not left their offices. (Smart dudes of course, but no exp.)
We don't want computer security types. We need AFS to set up certification.
Computer Security != Computer Forensics, for fooks sake.
Why argue? It's the liberal arts building! ;)
- A
Except you block the damn bathrooms from the first floor, and I always, without fail, go up the wrong staircase. And there is this great sign telling you, no through traffic. One day, I got mad, and I walked through anyway, and I got away with it.
I'll bet like 5 people who read this article will have any idea about which bvilding I'm talking about. Those who do, dont you fell my pain?
-- the computer doesn't want any beer, no matter how much you think it does. NEVER, EVER feed your computer beer.
He's quite the story teller and can relate one to almost every security issue there is. His class was the kind where you almost didn't realize you were learning until it was too late - the final comes and you ask yourself how you learned all the answers.
It was even interesting to see who he lined up as a guest lecturer each time he had to fly to Washington to brief the Government on something. They all had some weird story about security lapses somewhere important.
I wonder if he has any suggestions for me on cracking the password file on the Purdue University Sparc box I bought at auction that has Solaris on it? The drive is 'set aside' because I couldn't get into it, but I can plug it back into the machine as a second drive and mount it if I want.
---
No, really, that was funny. I'm just a fan of crazy subject lines.
True story.
The guy who said RTM should be jailed for an accident with a worm - what a nice guy.
RTM did a lot of damage doing something he should have known not to do. I wouldn't let him cop a walk if he botched an unauthorized chemistry experiment and burned a lab down, either.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
It's boring but what the hell....
I graduated from Purdue undergrad ECE in '02 and with the job market the way it was back then I knew I'd go to grad school. I had picked up a big interest in infosec my last year there so I emailed Spaf about opportunities in grad school. As soon as he found out I was a lowly Computer Engineer he basically said I shouldn't bother.
So I ended up at Carnegie Mellon instead, and I just finished my MS in Information Networking with a focus on security, I even got to write a Mandatory Access Control system for Linux for my thesis.... Hey Gene? Am I up good enough to be a grad student now?
AntiFA: An abbreviation for Anti First Amendment.
The Great Worm, in its day, took down a far larger percentage of the Internet than ILOVEYOU or any of its ilk. We clamour for something to be done to those authors, who clearly have caused billions of dollars of loss, but look on older crackers with these weird rose-colored eyeglasses.
Read spaf's published analysis of the Great Worm sometime. (It was written a few days after the event.) The maliciousness was all there; fortunately, RTM was half-incompetent. Chunks of the code didn't even work and it still wiped out most of the net.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
scubaduba, interesting interview. I see some of the same themes that he's talked about in the past. He is quite concerned about the effects of technology on the average person which he discusses in some detail in the interview linked below.
Here's an interview with Eugene Spafford in two parts that outlines a lot of the issues that he's concerned with. It provides some background and insights into his thinking. I found his views on the purpose of security technology especially interesting and somewhat unexpected. The same goes for his indirect criticism of Microsoft, which speaks to his comment in the Greplaw interview about 'using the right tools for the right jobs.'
Description courtesy of Bruce Schneier's Crypto-gram:
...what next, GropeLaw?
Actually there's a much better congressional testimony quote on the DMCA. On page 13 of the following PDF (labeled page 11 in the text) says:
8. Revisit laws, such as the DMCA, that criminialize technology instead of behavior. It is extremely counterproductive in the long run to prohibit the technologists and educators from building tools and studying threats when the "bad guys" will not feel compelled to respect such prohibitions.
It's a rather diplomatic way of asking them to repeal the DMCA.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
He must've got him confused with that Spamford guy, Spamford Wallace or something... :)
We generally don't yell at people for walking through. I only get testy when I find people sleeping on the benches outside my office. This ain't a bus station, kids.
A nice interview, but I would be interested to see what Spaf's views are on TCPA.
"Provided by the management for your protection."
Speaking of Spaf pontificating loudly, don't forget to read the "Farewell To Usenet" message he posted back in 1993, defining that it was the end of an era for Usenet because he was bored with it.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Damn kids coming in wanting to borrow my damn stapler. They're worse than stray dogs.
Okay, I got Linux installed. So where's the free beer everyone keeps talking about??
One of the PhD students is teaching our cs426 class right now...
:P
Heh, I had CS426 taught by Spaf himself
Do they still have the lab where you get to play around with a UNIX shell script
virus?
"Save the whales, feed the hungry, free the mallocs" -- author unknown
(a) The Worm did more damage in its day than almost anything seen since. And it was no accident, AC: RTM had interned at BTL and was intimately familiar with Unix internals. The only accident was that his delay counters were too small and spread the worm much faster than he'd intended.
(b) RTFA: Spaf has no interest in DRM/DMCA/etc. other than the chilling effect it's had on several areas he'd been working in and now doesn't dare to for concern of becoming the next Ed Felten.
Spaf's rep is impeccable IMHO.
It seems that people are calling "bullshit" on this and claiming the AC is a troll, which is understandable.
I've got to say, though, I agree with AC. Spaf's a dick. "In short a net.nazi" is a PERFECT description of Spaf. Now I haven't had to deal with him for a long time, and maybe he's changed for the better. I certainly hope so; but, if this AC's impressions of Spaf were formed around the same time as mine were, then I can understand where the poster is coming from.
So, no, I don't find this post to be a troll. He may be wrong in thinking that Spaf is pro-DMCA, but the Spaf I've spoken with was most certainly not an open-minded guy who "actively encourages responsible exploration" as others here have claimed.
Sig (appended to the end of comments you post, 120 chars)
Have you tried Googling for reseting the root password on Solaris?
"It's unpleasantly like being drunk."
"What's so unpleasant about being drunk?"
"Ask a glass of water that sometime..."