Interview with Anonymous, lead author of "Maximum Security 4/e"
by Mirko Zorz - Thursday, 1 May 2003.
Lack of understanding by administrative personnel on what process models are and how these affect security. Administrators today must know - at every level - the path by which a data element passes through their enterprise (and they must visualize this path transparently). Admin folks (I mean adminstrative folks, not sysadmins) often don't want to spend the money necessary to transparently expose that path or process. They'd rather buy this or that product, which they think will solve all their problems. Security as a process (and not an end) just isn't their thing. It doesn't fit into garden- variety expenditure analysis models.

You mention many security tools in your book, do you have any favorites?

That's a hard call. I see things like Nessus, for example, as constantly evolving, and anything of that ilk, I think, has a better future than some static system. However, I'd hate to plug a particular product against another. The best I can say is this: any tool that's modular, decentralized, open, and constantly evolving is likely to find itself into my CD library eventually.

What's your take on the full disclosure of vulnerabilities?

I'm wholly for it. Encryption algorithms, for example, have been in existence (and exposed) for years. Only when one is out there, open to anyone, can we truly find out whether it can withstand attack - and several algorithms have. If so, what's so different about applications? Open source evolves by exploiting thousand of human networks worldwide, and in that process, it harnesses the best and brightest minds. It's kind of like things like voluntary eugenics, really, in respect to evolution - or from a feminist perspective. Women make the ultimate choice as to their childrens' fathers, and they do so (one would hope) by choosing the best, the brightest, and the strongest. We should do the same. Millions of years of human evolution can't be wrong. Or, if you prefer a less inflammatory statement on the issue, which would you prefer: that communities wait X number of days or weeks to report a missing child or, in the alternate, immediately issue an "amber alert?" Time is humankind's enemy - always. The quicker we know the truth - the real truth - the better off we are. (Sidenote: that notwithstanding, exposing waknesses before notifying the victim vendor isn't cool. Give them at least a decent shot at fixing the problem. If they fail to do so immediately thereafter - or as soon as humanly possibly - that's their problem).

What are your future plans? Any exciting new projects?

Although Pearson hasn't publicly acknowledged it, I'm retired from security, and currently engaged in an open ground war on this corporate thing in B2B. I cannot tell you precisely what it is, but the project I'm now working on (and will soon unveil) will change B2B/EC/EDI forever, in every nation. In less than forty days, in fact, I'll be B2B's Prince of Darkness. Imagine a Tower of Babel for B2B where even if X equals zero or null, it still equals something *other* than zero or null. Yeah. Imagine a thing that empowers TCP/IP applications to dynamically examine the same transactional stream almost simulatenously and derive - from the same transmission - a dozen different types of analysis, in realtime, using autonomous agents, even if that transaction initiated in Mozambique, and carried within its packets proprietary product classification and characterization codes. Finally, imagine a router being able to visualize all transactions conducted in a given, assigned geographical region, effortlessly. That, to me anyway, qualifies as exciting (which goes to show how banal my life has become. Heh).


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th