Interview with Anonymous, lead author of "Maximum Security 4/e"
by Mirko Zorz - Thursday, 1 May 2003.
Lack of understanding by administrative personnel on what process models are and how these affect security. Administrators today must know - at every level - the path by which a data element passes through their enterprise (and they must visualize this path transparently). Admin folks (I mean adminstrative folks, not sysadmins) often don't want to spend the money necessary to transparently expose that path or process. They'd rather buy this or that product, which they think will solve all their problems. Security as a process (and not an end) just isn't their thing. It doesn't fit into garden- variety expenditure analysis models.

You mention many security tools in your book, do you have any favorites?

That's a hard call. I see things like Nessus, for example, as constantly evolving, and anything of that ilk, I think, has a better future than some static system. However, I'd hate to plug a particular product against another. The best I can say is this: any tool that's modular, decentralized, open, and constantly evolving is likely to find itself into my CD library eventually.

What's your take on the full disclosure of vulnerabilities?

I'm wholly for it. Encryption algorithms, for example, have been in existence (and exposed) for years. Only when one is out there, open to anyone, can we truly find out whether it can withstand attack - and several algorithms have. If so, what's so different about applications? Open source evolves by exploiting thousand of human networks worldwide, and in that process, it harnesses the best and brightest minds. It's kind of like things like voluntary eugenics, really, in respect to evolution - or from a feminist perspective. Women make the ultimate choice as to their childrens' fathers, and they do so (one would hope) by choosing the best, the brightest, and the strongest. We should do the same. Millions of years of human evolution can't be wrong. Or, if you prefer a less inflammatory statement on the issue, which would you prefer: that communities wait X number of days or weeks to report a missing child or, in the alternate, immediately issue an "amber alert?" Time is humankind's enemy - always. The quicker we know the truth - the real truth - the better off we are. (Sidenote: that notwithstanding, exposing waknesses before notifying the victim vendor isn't cool. Give them at least a decent shot at fixing the problem. If they fail to do so immediately thereafter - or as soon as humanly possibly - that's their problem).

What are your future plans? Any exciting new projects?

Although Pearson hasn't publicly acknowledged it, I'm retired from security, and currently engaged in an open ground war on this corporate thing in B2B. I cannot tell you precisely what it is, but the project I'm now working on (and will soon unveil) will change B2B/EC/EDI forever, in every nation. In less than forty days, in fact, I'll be B2B's Prince of Darkness. Imagine a Tower of Babel for B2B where even if X equals zero or null, it still equals something *other* than zero or null. Yeah. Imagine a thing that empowers TCP/IP applications to dynamically examine the same transactional stream almost simulatenously and derive - from the same transmission - a dozen different types of analysis, in realtime, using autonomous agents, even if that transaction initiated in Mozambique, and carried within its packets proprietary product classification and characterization codes. Finally, imagine a router being able to visualize all transactions conducted in a given, assigned geographical region, effortlessly. That, to me anyway, qualifies as exciting (which goes to show how banal my life has become. Heh).

Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //