Interview with Anonymous, lead author of “Maximum Security 4/e”
Who is Anonymous? Introduce yourself to our readers.
I’m not sure Pearson Education really wants this question answered. In any event, I was born 11/24/1964 at 12:01 a.m. in NYC (I’m an old man, in other words), and like Forrest Gump, “I’ve worn a lot of shoes.”
How did you gain interest in computer security?
I’d like to report that I was a crusader (like so many of the more committed hackers out there), but that would be a lie. My original interest was purely monetary, and focused on a comparatively small sector of the business (operating systems used by financial institutions). After I aced that area (and spent a few years exploiting the same, and a few more on vacation with the government), I went into healthcare processing. There, I really got into it. At one firm I worked, a billing manager operating under a false identity disappeared, leaving behind a Novell network and accompanying billing system, but no passwords. The professional staff of that hospital got increasingly concerned about not being able to bill for their services, and thus, hired me to break into the network and crack the billing software. (That was an interesting job, too, as the software used extraordinarily archaic security routines, and worse, assembled data screens on-the-fly from DBASE sources that were “parted-out” so tough, no one could conceivably extricate the data except using screen capture utilities, like WP’s old “grab.exe.” Talk about job security! Following that, I received an endless number of contracts to do the same (or substantially the same) thing for just about every sector you can imagine. Some of those jobs, I add here, were truly bizarre. You cannot imagine – or perhaps you can – what types of people “lose” or “need” data. For many years, that was my function in life – other than enjoying it, of course.
Why did you choose to hide your identity and sign your books as Anonymous? Why the secrecy?
I’m not sure Pearson wants to have this circulate as common knowledge either, but I’ll give it my best shot. Seven years ago, I and twenty-two other persons created a cornerstone of EC/EDI/B2B. That technology created an entirely new field, and was responsible for raising and sinking empires in expenditure analysis and automated line-item coding in realtime. The result was a new industry that was aggregately worth several hundred million dollars a year. Unfortunately, friendships (when money is afoot) don’t always last. To discredit my reputation, some of those individuals – who later became direct competitors (and some would say, mortal enemies) – used my past to discredit my reputation. Because my past is admittedly more checkered than most, that could have posed tremendous problems for Pearson (then Macmillan). Given all that – and anticipating a ground war between my team and the opposing team – it made sense. Besides, as has been now widely reported, especially in Germany and Brazil, my lifestyle is….controversial, at least from, say, a religious fundementalist’s viewpoint. Safe to say, unlike the many wonderful engineers and hackers I know, I was no angel, nor am I today, nor will I ever be. Because Pearson was trying in earnest to do something good for the net community (and, admittedly, also turn a decent buck), it seemed fair that its editors could proceed without getting entangled in either my past or my corporate wars and coups. To date, I think, my identity has been kept fairly well quiet, and for Pearson’s sake, I’ve tried my best to keep that shroud of secrecy wrapped around me.
Do the contributing authors know your real identity? If not, how did you communicate with them while working on the book?
Hahahaha. Looking for some trade secrets, perhaps? Just kidding.
Pearson has an interesting (ingenious) way in which it does business. It may well be one of the few functional human networks that remains truly decentralized, dynamic, and elastic. The manner in which editorial copy is moved back and forth is pretty clean. But yes…a few of those authors do know my identity (and more than a few are likely glad that my identity has been so long a secret, as they’re such fine persons, I doubt that they would, under any other circumstances, attach their names to my works).
Wouldn’t your real name on the book guarantee more customers for your company? Why not use this promotion?
I could just say “see above,” but I’m not nearly so rude. As I had anticipated, opposition forces did, within the last two years, release incredibly damaging (and false, defamatory) information about me on the Internet. To prevent Pearson from losing millions of dollars behind that data, it was an imperative that my name never appear anywhere. (Funny sidenote: once, about six months ago, a clerical error led to a Library of Congress misprint that did reveal my name – for a few days. What a mess). To get to the heart of your question, though, yes: most authors do book signing tours, lectures, and what not (and these activities are normal aspects of almost any publishing contract of substance). I – and Pearson – could have made much more money had my name been out there, and had I been out there. Perhaps someday, after a dozen or so lawsuits to clear my name (as much as it can be cleared, heh), my name might be public knowledge.
But today, Pearson’s best strategy is to keep it quiet, and I have always tried my best to help Pearson in that regard.
How long did it take you to write “Maximum Security 4/e” and what was it like? Any major difficulties?
“Maximum Security 4/e” came at a time when I was deeply embroiled in a back-alley corporate war – and a nasty one. Hence, I couldn’t really be there as I should have been. On that account, “Maximum Security 4/e” (which is a pretty good book, actually) is the fruit of many others’ labor. I lent some support there (perhaps quite a bit), but they (Pearson’s excellent authors and its editors) are responsible for it. Strictly speaking, my “last” book – ever, save one, which is unrelated to computer security – was “Maximum Apache Security”, although my “fingerprints” are on some 32 ISBNs. I think, though, without speaking for other “Maximum Security 4/e” authors, the major difficulties the book presented was, as always, the same: technology in this area gains ground by the minute, and not the day. Hence, from the time the book entered the editorial queue to printing, the authors had to undertake many updates to account for strides (by black and white hats) that occured during its production. Wireless security might be a good example.
What operating system(s) do you use?
Well, I’m an OpenBSD fan. It’s not perfect (nothing is), but it certainly provides you with a beginning baseline. Of course, nowadays, many technologies that were once commonly to OpenBSD exclusively are becoming widely available to other operating systems. For quick-and-dirty installs, though, OpenBSD rox. However, between the Patriot Act and other legislative maneuvers like it, our problems are now a tad different. Whereas we once had to “watch” crackers, we must now also watch our watchers. This presents practical issues that this or that encryption suite or firewall may not necessarily handle, so now, we need to look more to the processes by which data winds its way through our enterprises and homes. Wireless security, for example, is still, in my opinion, a disaster, and yet, many of my friends use it without a second thought (and without hardening it). These days, any sensitive work I do, I do on a laptop without network connectivity. When I’m done, I melt the drive, and buy another.
What is, in your opinion, the biggest challenge in protecting information at the enterprise level?
Lack of understanding by administrative personnel on what process models are and how these affect security. Administrators today must know – at every level – the path by which a data element passes through their enterprise (and they must visualize this path transparently). Admin folks (I mean adminstrative folks, not sysadmins) often don’t want to spend the money necessary to transparently expose that path or process. They’d rather buy this or that product, which they think will solve all their problems. Security as a process (and not an end) just isn’t their thing. It doesn’t fit into garden- variety expenditure analysis models.
You mention many security tools in your book, do you have any favorites?
That’s a hard call. I see things like Nessus, for example, as constantly evolving, and anything of that ilk, I think, has a better future than some static system. However, I’d hate to plug a particular product against another. The best I can say is this: any tool that’s modular, decentralized, open, and constantly evolving is likely to find itself into my CD library eventually.
What’s your take on the full disclosure of vulnerabilities?
I’m wholly for it. Encryption algorithms, for example, have been in existence (and exposed) for years. Only when one is out there, open to anyone, can we truly find out whether it can withstand attack – and several algorithms have. If so, what’s so different about applications? Open source evolves by exploiting thousand of human networks worldwide, and in that process, it harnesses the best and brightest minds. It’s kind of like things like voluntary eugenics, really, in respect to evolution – or from a feminist perspective. Women make the ultimate choice as to their childrens’ fathers, and they do so (one would hope) by choosing the best, the brightest, and the strongest. We should do the same. Millions of years of human evolution can’t be wrong. Or, if you prefer a less inflammatory statement on the issue, which would you prefer: that communities wait X number of days or weeks to report a missing child or, in the alternate, immediately issue an “amber alert?” Time is humankind’s enemy – always. The quicker we know the truth – the real truth – the better off we are. (Sidenote: that notwithstanding, exposing waknesses before notifying the victim vendor isn’t cool. Give them at least a decent shot at fixing the problem. If they fail to do so immediately thereafter – or as soon as humanly possibly – that’s their problem).
What are your future plans? Any exciting new projects?
Although Pearson hasn’t publicly acknowledged it, I’m retired from security, and currently engaged in an open ground war on this corporate thing in B2B. I cannot tell you precisely what it is, but the project I’m now working on (and will soon unveil) will change B2B/EC/EDI forever, in every nation. In less than forty days, in fact, I’ll be B2B’s Prince of Darkness. Imagine a Tower of Babel for B2B where even if X equals zero or null, it still equals something *other* than zero or null. Yeah. Imagine a thing that empowers TCP/IP applications to dynamically examine the same transactional stream almost simulatenously and derive – from the same transmission – a dozen different types of analysis, in realtime, using autonomous agents, even if that transaction initiated in Mozambique, and carried within its packets proprietary product classification and characterization codes. Finally, imagine a router being able to visualize all transactions conducted in a given, assigned geographical region, effortlessly. That, to me anyway, qualifies as exciting (which goes to show how banal my life has become. Heh).