I've been kicking around the Internet for quite a while. Around 1981, while in college, I worked at the National Institutes of Health as a "computer specialist". At the time, I was amazed at how careless system designers, users, and so forth were with regard to security. I used to demonstrate to my managers how easy it was for me to get access to information I shouldn't. It was there that I became interested in security, networking, and distributed computing in general. Remember at that time, the IBM PC didn't exist (it would soon come into existence). We used IBM Mainframes, Commodore computers, and 8 bit CPM machines. Through my career I became heavily involved with the Internet and distributed computing in general and, in the early 1990's, led the deployment of Global SprintLink, a large international Internet backbone. Hackers made themselves known then, some in good ways and some in challenging ways ;-). At that time, groups of hackers were particularly bothered by the fact that the Internet was being commercialized, so they attacked our network backbone regularly. Remember all of those statements coming from various Internet providers that claimed their 24 or 48 hour outage was for an equipment upgrade failure? Think *** not ***. Often the outage was the result of hackers at-work. In building-out the Internet, I became convinced that it wouldn't go anywhere without a very heavy focus on security. This was around 1995, that's the time that I decided to join Netscape where I led the security product group. There we were able to endlessly innovate in security and put that work to action, it was a great time. I was group product manager for the Secure Sockets Layer (SSL) protocol and other Netscape security products and features including smart cards, replaceable crypto, digital certificates, code signing, and PKCS #11. Around this time I finished my first book, Network Application Frameworks. That book was my statement that networks, applications, and security are one problem set, not two or three. It has always struck me as odd that network people and application development people (and now security people) put such walls up between their work and areas of study within an organization-- it's all one problem. After taking some time off and helping another company prepare to go public, I co-founded NetFrameworks, Inc. with Tom McKnight in 1998.
How did you gain interest in computer security?
Since the time I first started working in a shared computing environment, in my case an IBM mainframe, I became very interested in security. It was completing the initial build-out of Global SprintLink and staring back over the expanse of the Internet and pondering its potential that fueled what would be come my obsession with the importance of security in distributed computing.
What are your favorite security tools?