Now, just because you know where all of the entrances are, you don't necessarily know identities of those using the entrances. But you can take much stronger action in the name of security on a computer network than you can in a civilization. For some reason people are far happier to subject themselves to monitoring and the hassle of constantly presenting credentials when it comes to computers than they are in real life. For instance, if you buy batteries and Radio Shack and they ask you for your address you get pissed off. But you'll visit myriad web sites that record your IP address without much of a thought. People are afraid that their supermarkets are recording the fact that they buy more boxes of cookies than they do apples, but are seemingly unphased by the fact that the AOL's proxy servers have copies of pretty much every web page visited. It's a hassle to supply a password every time you log onto your ISP or when you read a newspaper online, but people are okay with it. But people would never show their passports every time they got on the subway. So again, it's much simpler to enforce security on a computer network than in real life.

And then there is fact that with computers the worst thing that can happen- to the computer that is- is that you have to restore from backup and maybe lose some data. If someone decides that it's cute to DoS Yahoo and CNN or tag the front page of the New York Times people can't read news or whatever for a little while, but a couple of days later everything is fine. Even if someone was able to disable an electric company's power grid for a little while, while the immediate effect may be devastating the effect would only be temporary. But buildings can't be brought back from tape.

So, if I am to attempt to bring this all to some sort of conclusion, I do think that there is certainly a risk of 'Cyber Terrorism' (or whichever name is in fasion today), but I don't think that addressing the threat is nearly as complex as addressing the threat to the physical infrastructure of our country. Nor do I feel that the effects could be as substantial.


What are your future plans? Any exciting new projects?

I've found that my definition of exciting can be drastically different from that of others, but I do have a few ideas. I'd like to move into more of an R&D role and away from the penetration testing. Believe it or not, breaking into computers can get boring after a while. More and more I find myself excited by theory rather than what new vulnerabilities exist in what software. I've always said that you have to know offense to play defense, but the offense has always been more exciting to me :). So the stuff I'm working on now is more in the offensive arena, particularly with regards to attacking web-based applications. In 5 years that's pretty much all there will be, and finding out now how web services are broken is extremely important. I do have some ideas for defensive projects, but they are all at the hardware level so I'll need TrustWave to kick down a couple more R&D dollars before I can proceed :).

My immediate plans, however, are to go lie on the couch with my brand new wife and take a nap.