Interview with Greg Vaughn, co-author of “Maximum Security 4/e”

Who is Greg Vaughn? Introduce yourself to our readers.

I’m primarily an enterprise application programmer. I’d been a consultant for a number of years before taking a permanent corporate position right about the time I was working on the book last fall. I’ve been on the Internet since 1992 and I was aware of it a few years earlier. My first exposure was over a 1200-baud modem into the university VAX cluster. I used to manage an ftp and gopher hobby site before the web took off.

My computer experience goes back to junior high school. I was one of about four students who really got interested in those first couple of computers our school bought — TRS80s. We read the manuals and taught ourselves BASIC when we got free time in class.

Lately my thoughts on all sorts of technical things have centralized on the people issues involved — programmer productivity, group dynamics, code quality, testing, and security.

How did you get interested in computer security?

I’ve come from the direction of application development. I also have a graduate degree in physics, which gave me a strong mathematical background (and a masochistic affinity for problem solving) so I’ve found myself drawn to the ‘difficult’ parts of programming in general — encryption, security, concurrency, etc. because of the challenges involved. I’ve lately become convinced that the truly most difficult parts of security are the people issues. The mathematics of encryption algorithms are fairly well known as are the procedures, but getting people to understand and care enough to change their behavior is hard.

Do you have any favourite security tools?

I couldn’t really pick a favorite, but I can name what I believe is the most important one — education. Getting people to take security seriously is the most difficult part. This ranges all the way from the people who just need the computer network to get their job done, to the programmers who write the programs to simplify their jobs, to the system administrators that keep it everything running, to the upper management who set policy.

That’s probably not the direction you meant for the question to go. I’ve actually found netcat to be really helpful lately in developing some distributed apps.

What operating system(s) do you use and why?

I’m writing this from an Apple Titanium Powerbook G4 running Mac OS X. Aside from the very first computer I had in high school, I’ve always had Apples at home. Initially it was because friends had them. I’ve stuck with them because of the low trouble due to the hardware/OS integration and the security.

The classic Mac OS did a really good job of security through obscurity. Hold on — before you label me a heretic, hear me out. I don’t advocate basing security on obscurity, but it makes for a nice additional level. I never had a need to run server processes on my personal machine, and I dialled up with a dynamic IP. I also never had to deal with infection from email Trojans since Mac mail clients don’t default to executing content of emails (and even if they did, they wouldn’t have much luck with Windows binaries — more obscurity at work!)

I’m familiar with and use a wide range of OSs (I started on Ygdrasil Linux in grad school in ’93, then various Windows NT and Unix flavors in the corporate world, plus PDAs, and others for fun). I recognize that each have their strengths and weaknesses, and that I’m personally quite atypical in what I look for in a personal machine.

I’m still learning my way about OS X, but so far I really like it. I bought the machine after the book was complete or I may have been more involved with that chapter. I like the continued lack of hardware integration problems characteristic of Apple, but I also really like the power and ‘hackability’ of the Darwin/BSD underpinnings. I’ve always liked customizing the computer to my usage patterns, and this is fertile ground. I’ve been quite pleased with the security out of the box and Apple’s responsiveness to security updates.

How long did it take you to complete your chapters for “Maximum Security 4/e” and what was it like?

One week each for the two chapters I did (Internal Security and Intrusion Detection Systems). Plus a couple of days each to review editors comments a few weeks later. But I wouldn’t say this was typical.

I got involved in the book through a friend and former co-worker who’s been involved with Sams Publishing for several years. They were needing some extra help after the project was underway. I had been wanting to get involved in book writing, had the background, and had the time to take on two chapters. Since this is a 4th edition, I was given the chapters of the 3rd edition as a starting point. From there I checked all the references to outside material and updated them as necessary, added new material, removed obsolete parts, and generally interspersed my own knowledge and experience where it made sense.

The people at Sams were great to work with, and I quite enjoyed the experience. I’m looking forward to my next book project, but there’s nothing definite right now.

What is, in your opinion, the biggest challenge in protecting sensitive information at the enterprise level?

I’m going to sound like I’m harping on this issue, but the biggest challenge is education. Corporations first need to understand their exposure from disgruntled and/or naive employees. Then they need to carefully consider how to address the balance between ease of use and security. One size does not fit all, but that’s typically where executives want to go. In the long run, it’ll cost corporations in productivity if they keep the development staff under as tight of a rein as call center employees, for example.

Corporations also need to understand that security is a process, not a product, but products are an important part. Firewalls are the obvious example here. They’re an invaluable component to the security plan, but don’t stop there. Also, it’s the wrong idea to create a task force that ends up just producing a 100 page document on what the security policies are and then decree that everyone must read and comply with it. It’s good to have the policy for reference, but go the next step to get products in place and teach people how to make them part of their routine. And then also have a plan on how you revisit and decide if/when to replace those products as needed.

Based on your experiences, do you find proprietary software or open source software to be more secure?

I can’t really objectively say, but I do tend to trust open source more. I’m not going to pretend that I’ve personally audited every line of the OSS projects I use, but it’s comforting to know that I could. I think it’s also in security’s benefit that OSS is written by people who genuinely care about the project — they care enough to donate their time in the vast majority of cases. Plus they’re not under market based deadline to deliver before a competitor does. Both of these features reduce the risk that the developers will take shortcuts and be careless with their code.

On the other hand, OSS projects attract plenty of novice programmers who may not have learned how to write secure code yet. Plus there’s no guarantee that just because experienced people could have audited the code, that they actually have. So we have to be careful not to just blindly trust the security of OSS.

My litmus test is to see how many people are credited in the README as contributing to the project. A large number means that many people have looked at the code, and hopefully their level of experience follows a bell curve so you’ve had plenty of experience involved. I don’t instantly trust a project that has just a few contributors — they could just be prolific, but undisciplined high school students.

What’s your take on the full disclosure of vulnerabilities?

Before the DMCA, this was an easy answer: when you find a vulnerability first tell the vendor and give them a reasonable amount of time to respond. If they don’t, then publish publicly. I won’t go into a screed on the DMCA, but it is forcing honest people to avoid the upfront approach and the corresponding risk of legal action. As it is, a US citizen would need to either get a foreigner they trust to actually do the notifications for them, or else step a bit closer to the black hat hacker community to learn how to hide their tracks of communication so they can report it themselves. The basic strategy still applies — it’s just harder now.

What are your future plans? Any exciting new projects?

It won’t be very public, but my involvement in the book has caught attention at work and it’s highly likely that I’ll be involved with a task force for renewed focus on security. We’ve recently become a bank, and that means we will have to comply with federal confidentiality regulations. I’ve already stated my stance on education and the biggest challenge in protecting sensitive information at the enterprise level in earlier questions, and that is the stance I will take on this task force. I will be involved in the politics of getting people to go beyond simply checkmarking compliance with the regulations and additionally place a real security process in place, while not being too restrictive on people’s day to day work. I expect it to be a real challenge.