Slashdot Mirror

← Back to Stories (view on slashdot.org)

Interview with Eugene Spafford

Posted by michael on from the open-sesame dept.

scubacuda writes "Dr. Eugene 'Spaf' Spafford, security expert and professor of Computer Science at Purdue University, talks with Greplaw about what drove him to the computer security field, what it's like to testify before the White House and Congressional committees on information security and public policy, and how legislating technology is 'bad law.' For you budding legal geeks interested in forensics, technology, law, and ethics, Spaf has provided a reading list."

13 of 168 comments (clear)

  1. This guy rocks by PissingInTheWind · · Score: 5, Interesting

    I saw him recently in a conference. He talked about how we all need as americans to make sure we know how to stand in the menace of the actual "orwellian" (his words) government policies.

    He sure knows his stuff and is a great source of inspiration for all of us.

    --

    A message from the system administrator: 'I've upped my priority. Now up yours.'
  2. It's a complicated matter... by Deraj+DeZine · · Score: 4, Funny
    what it's like to testify before the White House and Congressional committees on information security and public policy

    Define "like."

    --
    True story.
  3. The interviewer wasn't listening by ObviousGuy · · Score: 5, Interesting

    It's great how the interviewer opens up the topic of virii and Spafford replies quite clearly that virii are not things he studies and that he can give references to other experts if the interviewer so wishes. Then the interviewer just plows ahead trying to make out like virii are the key problem in computer security.

    At least Spafford was a good sport and continued doing his best to try to bring all of the subsequent virus questions back into the umbrella of computer security.

    --
    I have been pwned because my /. password was too easy to guess.
  4. Be very cautious when legislating technology by ElliotLee · · Score: 5, Insightful

    Technology typically finds its own solutions to problems, which makes many laws incredible nuisances, stifling innovation.

  5. architectural differences? by Frisky070802 · · Score: 4, Interesting
    I'm curious about Spaf's comment that the prevalence of worms on Windows is due to architectural differences rather than market share. Is there proof of this? Certainly people write worms/virii for Windows because it's easier, but also because it's so much easier to hit critical mass.

    It's also worth noting that of the 3 UNIX worms he mentions, one, the RTM worm, hit long before it was fashionable to spread things in Windows. The architecture not only permitted it, the holes had been around for ages.

    Interesting that Spaf said RTM should be jailed for unleashing that worm. If he had been, would he be an MIT professor now?

    --
    Mencken had it right. So glad that's old news.
    1. Re:architectural differences? by zcat_NZ · · Score: 3, Interesting

      I'm curious about Spaf's comment that the prevalence of worms on Windows is due to architectural differences rather than market share. Is there proof of this? Certainly people write worms/virii for Windows because it's easier, but also because it's so much easier to hit critical mass.

      A year ago, I would have agreed with this point of view. Internet Explorer, Outlook Express, IIS, and Windows itself were crawling with major security issues that different worms and viruses could exploit.

      Now days, viruses are starting to arrive as a zipped, passworded attachment, replying entirely on social engineering tricks to fool the user into running the virus.

      If Linux were the predominant desktop operating system, I think these viruses would still be arriving, as gpg-encrypted rpm's or tarballs, and the same users would still be fooled into installing them with root priviledges.

      --
      455fe10422ca29c4933f95052b792ab2
    2. Re:architectural differences? by zcat_NZ · · Score: 5, Interesting

      Allow me to respond to myself;

      The problem is no longer with the Operating System itself. The problem is that most users care far too little about how the operating system works, and are much too trusting.

      Say, for example, that you came back to your car one day, and there was the following note on the windshield.

      "Helpful advice from another motorist; your engine has become clogged with a black, sticky residue which may be slowing it down. You can remove a plug from the bottom of the motor and drain this gooey stuff out, and your car will run so much better. Pass this advice on to everyone you know"

      Most people would know enough about their car to recognise that this is not good advice, yet they will happily install 'updates', submit banking details to suspicious websites, or delete arbritrary files out of /windows/system32 with barely a thought.

      See what I mean?

      --
      455fe10422ca29c4933f95052b792ab2
  6. Spaf?! by Anonymous Coward · · Score: 3, Funny

    If he's so smart, why couldn't he think up a better nickname? I rest my case.

  7. Interesting Read by value_added · · Score: 5, Interesting

    Overall, an article worth reading. Two things I found worth noting. First, the "false convenience" metaphor in

    "So long as false convenience and poor design are more important to the average user than security and safety then we are going to have problems."
    I thought was an excellent way to characterise the arguments often raised when such things as user education, simple point-and-click interfaces, administration costs, etc. are the topics of discussion. Also, when asked,
    " What is your preferred platform-Wintel, Linux, MacOS, or....? "
    the response is notably diplomatic:
    "It depends on the application need. No one system (or language or database or...) is ideal for every use. I'm a big believer in using the right tools for the right jobs."
    but then goes on to mention:
    • primary system - Mac OS X (owns 5 Macs)
    • mail and file server - Solaris on a Sun box
    • laptop - OpenBSD
    • tablet PC - Windows
  8. Re:not impressed. by Ogrez · · Score: 4, Informative

    In reading your post, it becomes obvious that you dont have any clue what your talking about, I will give you a brief portion of his testimoney before congress on July 24th 2003.

    More recently, provisions of the Digital Millennium Copyright Act (DMCA) have led to faculty being threatened with lawsuits for publishing their security research, and some faculty (Fred Cohen and myself included) have decided to curtail or stop our research in some areas of security because of the potential for us to be arrested or sued. This is particularly true in the area of software threats -- the very same tools and techniques necessary to reverse-engineer and protect against malicious software are seen as a threat by many in the entertainment and content provision industries. Legislation against technology instead of against infringing behavior can only hurt our progress in securing the infrastructure.

    --


    Fire in the hands of the village idiot is no tool, but a weapon of mass destruction
  9. Similar Names... by CedgeS · · Score: 4, Funny

    Great! Now I can find all the tech law websites I want with one simple command:

    cat internet | egrep -i gr[:vowel:][:explosive\ consonant:]law

    Which reminds me, I really wish multi-character atoms would work with reg-ex. The spec calls for them, but they haven't worked in any implementation I've used.

  10. True Story by CajunArson · · Score: 3, Interesting

    It's boring but what the hell....
    I graduated from Purdue undergrad ECE in '02 and with the job market the way it was back then I knew I'd go to grad school. I had picked up a big interest in infosec my last year there so I emailed Spaf about opportunities in grad school. As soon as he found out I was a lowly Computer Engineer he basically said I shouldn't bother.
    So I ended up at Carnegie Mellon instead, and I just finished my MS in Information Networking with a focus on security, I even got to write a Mandatory Access Control system for Linux for my thesis.... Hey Gene? Am I up good enough to be a grad student now?

    --
    AntiFA: An abbreviation for Anti First Amendment.
  11. Bonus Spafford interview by securitas · · Score: 3, Informative

    scubaduba, interesting interview. I see some of the same themes that he's talked about in the past. He is quite concerned about the effects of technology on the average person which he discusses in some detail in the interview linked below.

    Here's an interview with Eugene Spafford in two parts that outlines a lot of the issues that he's concerned with. It provides some background and insights into his thinking. I found his views on the purpose of security technology especially interesting and somewhat unexpected. The same goes for his indirect criticism of Microsoft, which speaks to his comment in the Greplaw interview about 'using the right tools for the right jobs.'

    Description courtesy of Bruce Schneier's Crypto-gram:

    Long and interesting interview with Gene Spafford, about the infosec threat landscape; privacy; the challenges of digital certificates, CRLs, public key infrastructure standards and interoperability; key escrow, backup and recovery; identity fraud; trust on the Internet; and the problems of security education today. Sample quote: "Security doesn't work as an add-on. It really needs to be built-in from the beginning."