You mention many security tools in your book, do you have any favorites?
That's a hard call. I see things like Nessus, for example, as constantly evolving, and anything of that ilk, I think, has a better future than some static system. However, I'd hate to plug a particular product against another. The best I can say is this: any tool that's modular, decentralized, open, and constantly evolving is likely to find itself into my CD library eventually.
What's your take on the full disclosure of vulnerabilities?
I'm wholly for it. Encryption algorithms, for example, have been in existence (and exposed) for years. Only when one is out there, open to anyone, can we truly find out whether it can withstand attack - and several algorithms have. If so, what's so different about applications? Open source evolves by exploiting thousand of human networks worldwide, and in that process, it harnesses the best and brightest minds. It's kind of like things like voluntary eugenics, really, in respect to evolution - or from a feminist perspective. Women make the ultimate choice as to their childrens' fathers, and they do so (one would hope) by choosing the best, the brightest, and the strongest. We should do the same. Millions of years of human evolution can't be wrong. Or, if you prefer a less inflammatory statement on the issue, which would you prefer: that communities wait X number of days or weeks to report a missing child or, in the alternate, immediately issue an "amber alert?" Time is humankind's enemy - always. The quicker we know the truth - the real truth - the better off we are. (Sidenote: that notwithstanding, exposing waknesses before notifying the victim vendor isn't cool. Give them at least a decent shot at fixing the problem. If they fail to do so immediately thereafter - or as soon as humanly possibly - that's their problem).
What are your future plans? Any exciting new projects?
Although Pearson hasn't publicly acknowledged it, I'm retired from security, and currently engaged in an open ground war on this corporate thing in B2B. I cannot tell you precisely what it is, but the project I'm now working on (and will soon unveil) will change B2B/EC/EDI forever, in every nation. In less than forty days, in fact, I'll be B2B's Prince of Darkness. Imagine a Tower of Babel for B2B where even if X equals zero or null, it still equals something *other* than zero or null. Yeah. Imagine a thing that empowers TCP/IP applications to dynamically examine the same transactional stream almost simulatenously and derive - from the same transmission - a dozen different types of analysis, in realtime, using autonomous agents, even if that transaction initiated in Mozambique, and carried within its packets proprietary product classification and characterization codes. Finally, imagine a router being able to visualize all transactions conducted in a given, assigned geographical region, effortlessly. That, to me anyway, qualifies as exciting (which goes to show how banal my life has become. Heh).