Interview with Eugene Spafford 168
scubacuda writes "Dr. Eugene 'Spaf' Spafford, security expert and professor of Computer Science at Purdue University, talks with Greplaw about what drove him to the computer security field, what it's like to testify before the White House and Congressional committees on information security and public policy, and how legislating technology is 'bad law.' For you budding legal geeks interested in forensics, technology, law, and ethics, Spaf has provided a reading list."
This guy rocks (Score:5, Interesting)
He sure knows his stuff and is a great source of inspiration for all of us.
Bonus Spafford interview (Score:4, Informative)
scubaduba, interesting interview. I see some of the same themes that he's talked about in the past. He is quite concerned about the effects of technology on the average person which he discusses in some detail in the interview linked below.
Here's an interview [pkiforum.com] with Eugene Spafford [pkiforum.com] in two parts that outlines a lot of the issues that he's concerned with. It provides some background and insights into his thinking. I found his views on the purpose of security technology especially interesting and somewhat unexpected. The same goes for his indirect criticism of Microsoft, which speaks to his comment in the Greplaw interview about 'using the right tools for the right jobs.'
Description courtesy of Bruce Schneier's Crypto-gram [schneier.com]:
Re:not impressed. (Score:2, Insightful)
Re:not impressed. (Score:2, Insightful)
Re:not impressed. (Score:5, Informative)
More recently, provisions of the Digital Millennium Copyright Act (DMCA) have led to faculty being threatened with lawsuits for publishing their security research, and some faculty (Fred Cohen and myself included) have decided to curtail or stop our research in some areas of security because of the potential for us to be arrested or sued. This is particularly true in the area of software threats -- the very same tools and techniques necessary to reverse-engineer and protect against malicious software are seen as a threat by many in the entertainment and content provision industries. Legislation against technology instead of against infringing behavior can only hurt our progress in securing the infrastructure.
Re:not impressed. (Score:2)
8. Revisit laws, such as the DMCA, that criminialize technology instead of behavior. It is extremely counterproductive in the long run to prohibit the technologists and educators from building tools and studying threats when the "bad guys" will not feel compelled to respect such prohibitions. [purdue.edu]
It's a rather diplomatic way of asking them to repeal the DMCA.
-
Re:not impressed. (Score:2)
Re:not impressed. (Score:2)
Spaf is an incredibly nice, easy-going guy who actively encourages open-mindedness and responsible exploration. Anyone who spends 5 minutes with the guy would realize that.
Moderators RTFA (Score:2)
Re:not impressed. (Score:1)
Re:not impressed. (Score:1)
Have you tried Googling for reseting the root password on Solaris?
Re: (Score:2)
Because you're clueless (Score:2)
The Great Worm, in its day, took down a far larger percentage of the Internet than ILOVEYOU or any of its ilk. We clamour for something to be done to those authors, who clearly have caused billions of dollars of loss, but look on older crackers with these weird rose-colored eyeglasses.
Read spaf's published analysis of the Great Worm sometime. (It was written a few days after the event.) The maliciousness was all there; fortunately, RTM was half-incompetent. Chunks of the code didn't even work and it
Re:not impressed. (Score:2)
(b) RTFA: Spaf has no interest in DRM/DMCA/etc. other than the chilling effect it's had on several areas he'd been working in and now doesn't dare to for concern of becoming the next Ed Felten.
Spaf's rep is impeccable IMHO
mods: please mod UP (Score:1)
I've got to say, though, I agree with AC. Spaf's a dick. "In short a net.nazi" is a PERFECT description of Spaf. Now I haven't had to deal with him for a long time, and maybe he's changed for the better. I certainly hope so; but, if this AC's impressions of Spaf were formed around the same time as mine were, then I can understand where the poster is coming from.
So, no, I don't find this post to
It's a complicated matter... (Score:4, Funny)
Define "like."
HAHAHA HE COPYD OUT OF TEH DICIONARY +5FUNAY!!111 (Score:1)
Define "like" (Score:2)
"What's so unpleasant about being drunk?"
"Ask a glass of water that sometime..."
The interviewer wasn't listening (Score:5, Interesting)
At least Spafford was a good sport and continued doing his best to try to bring all of the subsequent virus questions back into the umbrella of computer security.
Re:The interviewer wasn't listening (Score:3, Insightful)
The journalist is still at fault of course. Roger Rustad should have done his homework and found out that Spaf doesn't research viruses. He wasted half his questions on this fairly boring topic. Anyway, it sounds like S
Re:The interviewer wasn't listening (Score:2)
Re:The interviewer wasn't listening (Score:1)
Of course, many ignorant people these days just refer to anything bad that 'gets' on their computer due to malware as a 'virus.'
Re:The interviewer wasn't listening (Score:2, Informative)
Good call. I sent him a list of the questions several months ago and he just returned them the other day.
When I saw the direction he took it at the beginning, I considered adding/editing/rewording my original list of questions to fall under that umbrella. For better or worse (perhaps worse) I went ahead and published what I had.
Be very cautious when legislating technology (Score:5, Insightful)
Re:Be very cautious when legislating technology (Score:2, Funny)
Like Sharpies?
Re:CERIAS (Score:2)
Re:CERIAS (Score:2)
Re:CERIAS (Score:2)
Re:CERIAS (Score:1)
Re:CERIAS (Score:2)
Re:CERIAS (Score:2)
I'll bet like 5 people who read this article will have any idea about which bvilding I'm talking about. Those who do, dont you fell my pain?
Re:CERIAS (Score:2)
Nor is it an Office Supply Center (Score:1)
architectural differences? (Score:5, Interesting)
It's also worth noting that of the 3 UNIX worms he mentions, one, the RTM worm, hit long before it was fashionable to spread things in Windows. The architecture not only permitted it, the holes had been around for ages.
Interesting that Spaf said RTM should be jailed for unleashing that worm. If he had been, would he be an MIT professor now?
Re:architectural differences? (Score:3, Interesting)
A year ago, I would have agreed with this point of view. Internet Explorer, Outlook Express, IIS, and Windows itself were crawling with major security issues that different worms and viruses could exploit.
Now days, viruses a
Re:architectural differences? (Score:5, Interesting)
The problem is no longer with the Operating System itself. The problem is that most users care far too little about how the operating system works, and are much too trusting.
Say, for example, that you came back to your car one day, and there was the following note on the windshield.
"Helpful advice from another motorist; your engine has become clogged with a black, sticky residue which may be slowing it down. You can remove a plug from the bottom of the motor and drain this gooey stuff out, and your car will run so much better. Pass this advice on to everyone you know"
Most people would know enough about their car to recognise that this is not good advice, yet they will happily install 'updates', submit banking details to suspicious websites, or delete arbritrary files out of
See what I mean?
Re:architectural differences? (Score:2)
The equivalent analogy to this with cars is finding a note saying that the local police station is providing free smog checks, with an address to place in a bad part of town. If you did not know that the police have nothing to do with smog checks, you might believe the note. And if you didn't know that the address was not correct, you mi
Re:architectural differences? (Score:2)
Re:architectural differences? (Score:1)
If you told enough people to drain the oil from their cars, with a plausable reason for doing it, perhaps a number of them would. Expecially if it was as easy as removing a file from
The same applies to telling everyone they know.
Computers make lots of tasks easy; they don't differentiate between intelligent, productive tasks and pointless or destructive actions.
Re:architectural differences? (Score:2)
Re:architectural differences? (Score:2)
Yes, Vax/VMS, an OS so ancient, I've used it but a little. Enough to believe that it's not very UNIX-like at all, at least...
Y'know, there was once a time when people believed that worms (not viruses) could be helpful/useful... of course, that has long since been disproven...
Re:architectural differences? (Score:2)
Yes, Vax/VMS, an OS so ancient, I've used it but a little. Enough to believe that it's not very UNIX-like at all, at least...'
No, the worm only affected VAXen running 4.3BSD and sun 3 systems. It took advantage of flaws in sendmail and, IIRC, fingerd. VMS systems were unaffected by this.
Re:architectural differences? (Score:3, Interesting)
I was working on the Sprite [berkeley.edu] project at Berkeley at the time the worm hit. Sprite was largely UNIX-compatible, but at the source level, not binaries. So we saw evidence that one aspect of the system had been compatible enough to be attacked, with a certain file in /tmp that was evidence of worm activity, but it never actually got in because other things were different enough. Let's hear it for genetic mutations....
While others were cheering that it hadn't been compatib
Spaf?! (Score:3, Funny)
Spaf... hacked .. ???? (Score:2, Interesting)
anyone have any memories of this ??
or am i just have a bad Acid Flash back
Re:Spaf... hacked .. ???? (Score:1)
Re:Spaf... hacked .. ???? (Score:1)
more so for the "how he dealt with it" and "what happend that he could tell" point of view , rather than a *haha he got hacked*
Re:Spaf... hacked .. ???? (Score:1)
Re:Spaf... hacked .. ???? (Score:2, Interesting)
You can read an article/review about it here [theage.com.au] in the Melbourne Age. Eugene Spafford was interviewed in the documentary, and was a target of the above-mentioned hackers.
I will use the term hacker from now on, but you can substitute the term cracker if you think it is the more "correct" term.
My recollection of the documentary
CERIAS (Score:3, Informative)
Go Boilers!
Re:CERIAS (Score:1)
Nothing like having a NTP server less than 10 miles away!
Re:CERIAS (Score:2)
Re:CERIAS (Score:1)
Heh, I had CS426 taught by Spaf himself
Do they still have the lab where you get to play around with a UNIX shell script
virus?
Interesting Read (Score:5, Interesting)
Overall, an article worth reading. Two things I found worth noting. First, the "false convenience" metaphor in
I thought was an excellent way to characterise the arguments often raised when such things as user education, simple point-and-click interfaces, administration costs, etc. are the topics of discussion. Also, when asked, the response is notably diplomatic: but then goes on to mention:Re:Interesting Read (Score:2, Insightful)
He owns a Mac box for desktop use, Solaris for his server, a Windows tablet PC (there really is no functionally equiv. alternative tablet platform) and OpenBSD for his laptop (really the only odd one out, probably as his system for x86 coding).
Looks to me like he's chosen "the right tools for the right jobs," just like he says in the article.
Barto
Re:Interesting Read (Score:3, Informative)
all you need to know about information security (Score:3, Funny)
rot13 [rot13.com]
Similar Names... (Score:4, Funny)
cat internet | egrep -i gr[:vowel:][:explosive\ consonant:]law
Which reminds me, I really wish multi-character atoms would work with reg-ex. The spec calls for them, but they haven't worked in any implementation I've used.
Problems with Academia. (Score:1, Insightful)
I know how little they are actually doing up at CERIAS in regards to forensic analysis. They have 1 guy working on research, and another guy who releases tools that have an inte
Pontification (Score:3, Informative)
I always enjoyed his lectures (Score:3, Interesting)
It was even interesting to see who he lined up as a guest lecturer each time he had to fly to Washington to brief the Government on something. They all had some weird story about security lapses somewhere important.
True Story (Score:4, Interesting)
I graduated from Purdue undergrad ECE in '02 and with the job market the way it was back then I knew I'd go to grad school. I had picked up a big interest in infosec my last year there so I emailed Spaf about opportunities in grad school. As soon as he found out I was a lowly Computer Engineer he basically said I shouldn't bother.
So I ended up at Carnegie Mellon instead, and I just finished my MS in Information Networking with a focus on security, I even got to write a Mandatory Access Control system for Linux for my thesis.... Hey Gene? Am I up good enough to be a grad student now?
Re:True Story (Score:3, Interesting)
I ended up dropping out of university and moving into the computer security industry full time, and haven't looked back since. Off and on, I've had to write some code for a work-related project, bu
GrokLaw, GrepLaw... (Score:1)
Missing Comment (Score:2)
A nice interview, but I would be interested to see what Spaf's views are on TCPA.