Interview with Greg Vaughn, co-author of "Maximum Security 4/e"
by Mirko Zorz - Thursday, 24 April 2003.
Who is Greg Vaughn? Introduce yourself to our readers.

I'm primarily an enterprise application programmer. I'd been a consultant for a number of years before taking a permanent corporate position right about the time I was working on the book last fall. I've been on the Internet since 1992 and I was aware of it a few years earlier. My first exposure was over a 1200-baud modem into the university VAX cluster. I used to manage an ftp and gopher hobby site before the web took off.

My computer experience goes back to junior high school. I was one of about four students who really got interested in those first couple of computers our school bought -- TRS80s. We read the manuals and taught ourselves BASIC when we got free time in class.

Lately my thoughts on all sorts of technical things have centralized on the people issues involved -- programmer productivity, group dynamics, code quality, testing, and security.

How did you get interested in computer security?

I've come from the direction of application development. I also have a graduate degree in physics, which gave me a strong mathematical background (and a masochistic affinity for problem solving) so I've found myself drawn to the 'difficult' parts of programming in general -- encryption, security, concurrency, etc. because of the challenges involved. I've lately become convinced that the truly most difficult parts of security are the people issues. The mathematics of encryption algorithms are fairly well known as are the procedures, but getting people to understand and care enough to change their behavior is hard.

Do you have any favourite security tools?

I couldn't really pick a favorite, but I can name what I believe is the most important one -- education. Getting people to take security seriously is the most difficult part. This ranges all the way from the people who just need the computer network to get their job done, to the programmers who write the programs to simplify their jobs, to the system administrators that keep it everything running, to the upper management who set policy.

That's probably not the direction you meant for the question to go. I've actually found netcat to be really helpful lately in developing some distributed apps.

What operating system(s) do you use and why?

I'm writing this from an Apple Titanium Powerbook G4 running Mac OS X. Aside from the very first computer I had in high school, I've always had Apples at home. Initially it was because friends had them. I've stuck with them because of the low trouble due to the hardware/OS integration and the security.

The classic Mac OS did a really good job of security through obscurity. Hold on -- before you label me a heretic, hear me out. I don't advocate basing security on obscurity, but it makes for a nice additional level. I never had a need to run server processes on my personal machine, and I dialled up with a dynamic IP. I also never had to deal with infection from email Trojans since Mac mail clients don't default to executing content of emails (and even if they did, they wouldn't have much luck with Windows binaries -- more obscurity at work!)

I'm familiar with and use a wide range of OSs (I started on Ygdrasil Linux in grad school in '93, then various Windows NT and Unix flavors in the corporate world, plus PDAs, and others for fun). I recognize that each have their strengths and weaknesses, and that I'm personally quite atypical in what I look for in a personal machine.


Hospitals advised to stop using vulnerable computerized drug pumps

This is the first time that the US FDA has advised healthcare providers to stop using a medical device because of cybersecurity vulnerabilities.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Aug 4th