How long have you been working with Linux, and how did you get interested in it?
I've been working with Linux since sometime before v1.0. I believe it was in fact v0.99pl7. I had purchased it on a stack of floppy disks and it took a few months before it was fully installed.
At the time, I was responsible for the open source development on my college server. I knew even at the time that I would be involved with open source as my career, as it developed much more quickly than the DEC running Ultrix did, and offered a much wider range of software even at that time.
In your opinion, where does Linux need the most development at the moment?
In the security space, better government and vendor support, continued efforts to abandon legacy applications with no security in exchange for those that have been developed to be secure, as well as ongoing code auditing are probably at the top of the list of things that are currently needed.
Guardian Digital is focused on developing open source business applications with specific regards to security. This includes solving issues such as user privacy, "edge" security issues such as web, DNS, and mail services, code auditing, training, authentication, and access control.
Linux is already ahead of proprietary vendors in the areas of honeynet and honeypot research. Proprietary vendors have also acknowledged their open source counterpart in the areas of intrusion detection.
Security vendors are increasingly realizing that Linux is a viable platform for their own security products, and are shifting away from operating systems with licensing, stability, and security problems and porting their software to run on Linux.
What is, in your opinion, the biggest challenge in protecting sensitive information at the enterprise level?
Improved participation from end-users. Regardless of the application, operating system, levels of defense, it will surely crumble if it's not taken seriously by the trusted users.
Further, it's necessary for users to continue to build their knowledge of current trends and technologies. No longer is it possible to "secure" your network by purchasing a firewall and going home for the evening -- the internal network, publically accessible systems, and even the physical building must be secured.
Many still don't realize that email isn't a secure mechanism for transmitting data. We've all heard the story about the sticky-notes with the password on the monitor. It takes a refresher periodically for people to acknowledge that your software vendor doesn't make perfect software, and even large organizations with sophisticated security can be compromised without a vigilent approach to security.
What's your take on the full disclosure of vulnerabilities?
I am a believer in the concept of full disclosure, but it must be done responsibly. There's no benefit in releasing an exploit for a particularly vulnerability before a vendor has had the appropriate amount of time to respond.
It's also the responsibility of the end-user to follow up with their vendor to ensure they are acknowledging security vulnerabilities and fixing them rapidly. Certainly one of the criteria users should use when choosing a particular software application or even operating system is the security history and the vendor's track record in responsible security practices.