In his copious free time he likes breaking things and writing code.
Jacob Carlson is also the co-author of the acclaimed "Internet Site Security". The recent review of this book at HNS was a perfect opportunity to get him to answer a few question. Here we go...
How did you gain interest in computer security?
Hrm....I think that it was the same curiosity that had me taking apart door knobs and clock radios when I was a kid. I've always just been curious about how things work, and more importantly how to make things work in ways the designer didn't intend.
You do a lot of penetration testing for your company, what are your favourite tools and why?
Most of the tools I use I either wrote myself or are one-offs/modifications of publicly available tools. The main publicly available unmodified (well, only slightly modified :) tool that I cannot live without is netcat. It is exactly the correct tool for a billion different tasks; most of the reconnaissance and exploitation that I do is manual and netcat allows me complete control over the network connections.
In your opinion what are the most important things an administrator has to do in order to keep a network secure?
#1: disable everything not in use.
#2: patch patch patch patch patch. then patch.
#3: do not trust any users.
What was it like to be a co-author of "Internet Site Security"? Any major difficulties?
Writing a book is very similar to giving breach birth to a porcupine. We didn't get time off of our normal jobs to write (like other people out there :), so we were constantly facing book deadlines in addition to work deadlines. Last September, right as we were wrapping up the first draft of the completed book, I had to go to Germany and France to teach some classes. Because France has weird laws concerning cryptography I didn't bring my laptop, but since I only planned on being gone a short while I thought that I would still be able to get everything completed. Well, I was in Germany on September 11 and ended up not getting back to New York for 2 and a half weeks or something. Obviously the book delay was not the greatest of my worries (my wife and I live about a mile and a half from the former World Trade Center), but by that point I thought that we would never finish.
What books, articles, whitepapers would you recommend to people that are starting to learn about computer security?