Thursday, January 26, 2006

Security Interviews 2004/2005 - Part 1

I’ve decided to compile a list of all the interviews I have been taking for the Asta's Security Newsletter (feel free to opt-in), with the idea to provide you with the opinions of 22 folks(two anonymous ones are excluded as perhaps they shouldn't have been taken at the first place, and a Xmas issue without an interview) that I have had the chance to talk to. I hope you will enjoy the diversity of the their background and the topics covered.


Go though Part 2 and Part 3 as well!

1. Proge - - 2003
2. Jason Scott - - 2003
3. Kevin Townsend - - 2003
4. Richard Menta - 2004
5. MrYowler - - 2004
6. Prozac - 2004
7. Candid Wuest - - 2004
8. Anthony Aykut - - 2004
9. Dave Wreski - - 2004
10. Mitchell Rowtow - - 2004
11. Eric (SnakeByte) - 2005
12. Björn Andreasson - 2005
13. Bruce - - 2005
14. Nikolay Nedyalkov - - 2005
15. Roman Polesek - - 2005
16. John Young - - 2005
17. Eric Goldman - - 2005
18. Robert - - 2005
19. Johannes B. Ullrich - - 2005
20. Daniel Brandt - - 2005
21. David Endler - - 2005
22. Vladimir, 3APA3A - 2005

Interview with Proge, Founder of Progenic

Astalavista : To those who still don't know of, give us a brief introduction of the whole idea and its history?

Proge : Basically it all started in back in 98, we just made software for the fun of it and stuck it up on a webpage, mostly pretty simple stuff.It was a fun time but as the scene grew, things got a little out of hand, and when FakeSurf (the first automated surfing tool) was released we had legal threats from Alladvantage, lost our sponsorship that was paying for the bandwidth and were flooded with people wanting nothing more than a quick buck.I think that's when everyone decided enough was enough, and we took the site behind closed doors, I left the toplist up on because it's a scene I came from and I don't want to see it die.At the moment I'm
working on more constructive things like, it's more satisfying to create something that helps people.

Astalavista : As being on the Scene for such a long time, what is your opinion on today's Security threats home and corporate users face every day?

Proge : There are usually two reasons why you become a target, automated software scanning your system for known exploits that you should have patched, or you've made yourself a target.If someone wants to break into your system then unless you have a dedication to security, that window between an exploit and a patch is going to get you.Even if you stay on top
of things, it can still be a battle. According to Microsoft 'the only truly secure computer is the one buried in concrete, with the power turned off and the network cable cut' and you probably run their operating system.

Astalavista : Is Security through Education the perfect model for any organization?

Proge : Definitely!I'm still amazed that there are programmers and sys-amins out there, who think functionality first, security second or not at all.You need to understand hacking to understand Security, you know the reasons why you lock your door at night, why you set an alarm, but do you know why you have a firewall or an intrusion detection system, or did it just sound like a good idea when you got a glossy leaflet warning you about 'hackers' and asking your money? You can't just install a product and forget about Security, but that's what the industry tries to sell.Security is a constant threat and it isn't game over until you lose.

Astalavista : How real you think is the threat of CyberTerrorism?

Proge : With people like we have in power it gets more real.Like I said, if you make yourself a target, you've got a problem.

Astalavista : Is BigBrother really watching us, and what's the actual meaning of the word 'privacy' nowadays ?

Proge : A good question, they're definitely watching us but to what degree, who knows.It doesn't hurt to have a healthy paranoia. There're two sides to the privacy argument really.Either you're worried that government/business is overstepping the mark and intruding on your personal life for their own benefit, or you've got something to hide. Unfortunately privacy is being marketed at those with something to hide, you've seen the ads, cheating on your wife? Grooming underage kids? Erase your history, don't get caught etc.It's ironic that there are more ethics in a scene that is largely banded a threat to Security than there are in government and business.

Astalavista : Thanks for your time, Proge.

Proge : You're welcome!
Interview with Jason Scott, Founder of

Astalavista : How was the idea of born?

Jason : TEXTFILES.COM was born because one day in 1998 I wondered what had ever happened to an old BBS I used to call (it was called Sherwood Forest II). Since the WWW had been around for a good 5 years, I figured out there would be a page up with information about it, and I could even download a few of the old textfiles I used to read back in those days (the BBS was up from about 1983 to 1985). To my shock, there was nothing about Sherwood Forest II anywhere, and nothing about ANY of the BBSes of my youth. So then I went off and registered the most easy-to-remember name I could find,, and started putting up my old collection from Floppies. This gave me about 3,000 files, which I used to attract other peoples' collections and find more on my own, until the curren number, which is well past 60,000.

Astalavista : There's a huge amount of illegal and destructive information(bomb howto guides, drugs howtos) spreading around the Internet these days.Some of these files can be found at as well, don't you think that accessing such information is rather dangerous and could endanger someone?

Jason : Well, the question makes it sound like this is a recent event, the availability of information that, if implemented, could cause damage or other sorts of trouble. This has always been the case; if you want, we can go back to the days of the TAP newsletter (and the later 2600 magazine) where all sorts of "dangerous" information was being printed. We can go back many years before that.

This may sound like a copout, but I don't really buy into the concept of "dangerous information". At a fundamental level, it is someone saying "I am looking at this, and I have decided you should not see it. So don't look. I've made my decision." And I find that loathesome in that it gives
someone enormous arbitrary power. This argument applies for the concepts of Obscenity and Governmentally-Classified information, as well.

Sometimes people bring up the concept of children into the argument and my immediate reaction is not very pleasant. Parents protect; be a parent.

If somebody wants to hurt somebody else, then information files are not the big limiting factor to them doing it; they'll just pick up a match and set your house on fire, or buy a gun and shoot you or someone you really like. Censorship, as you might imagine, is not big on my list of things
that improve the quality of life.

Astalavista : Nowadays Information could be considered the most expensive "good", what's your attitude towards the opinion that the access to certain Information would have to be a paid one?

Information is a very funny thing. It can be quantified to some extent, and some amount of control can be issued on its transfer and storage. But the fact is that we, as a race, have been spending a lot of time making information easier and easier to spread. Printing press, book, flyer, radio, records, tapes, CDs, DVDs, internet, Peer to Peer... faster and faster. It is possible to know on the other side of the world what a child looked like at the moment it was born, a mere few seconds later. When Americans elected the president in the 1800s, they might not know who had won for weeks. Many people might have never seen a photograph of the man who ran
their country. They would almost certainly never hear him speak.

Charging for information is everyone's right. More power to them if they can make a buck. But that's not what I'm talking about. I've seen kids with a hundred textfiles trying to sell access to them for $5. If they're able to lure in suckers to pay that, then they have a talent. When you're in the cinema, the same soda that cost something like fifty cents or a quarter, at the local store it will cost you two or three dollars. Are you paying for the soda or for the ability to have a soda in that location? Similarly, I don't think you're paying for the information on a site that charges, you're paying a fee because you didn't know any other way to get this information.

There will always be a market for people with the ability to take a large amount of information and distill it for others (we called them "gatekeepers" when I took Mass Communications in college). The only difference is that now anyone can be a gatekeeper, and people can choose to forget them and get the information themselves. So now it's an option, which is a great situation indeed.

I've always been insistent about not charging for access to and not putting advertisements up on the site. I'm going to continue to do that as long as I can, which I expect will be for the rest of my life.

Astalavista : Share your thoughts about the Dmitry Skylarov case.

Jason : While this is not the first time that something like the Skylarov fiasco has occurred, I am glad that in this particular instance, a lot of press and a lot of attention was landed on what was being done here. Adobe realized within a short time that they'd made a serious mistake, and I hope they will continue to be reminded of how rotten and self-serving they were in the whole event. I certainly hope the company name 'Adobe' will stays in the minds of everyone with it for a long time to come.

That said, I'm glad everything worked out OK for him. Nobody deserves to be held up in a country away from their family because some software publisher has decided they're evil.

America has occasionally taken poor shortcuts through very evil laws trying to fix problems and make them worse. The "Separate but Equal" rulings in regard to Segregation and the indictment of anti-war protesters during World War I for something akin to Treason now have a modern cousin the DMCA and its equivalent laws, the Mini-DMCAs being passed by states. I think we will look back at this time with embarassment and whitewashing what went on.

Astalavista : How do you see the future of Internet, having in mind the Government's
invasion in the user's privacy, and on the other hand, the commercialization of the Net?

Jason : Mankind has been driven from probably day one to make things better, cheaper, and quicker because that's what will bring them success and fortune. People talk about television being this vast wasteland of uselessness, yet using something like my TiVO I can now bounce among my thousands of daily television programs and listen to events and people that just 10 or 20 years ago, there would be no room on television for. For all the Internet's abutments with the law, the fact is that it's still being adopted as fast as it can, the technology driving it is cheaper and cheaper (I have a connection to my house that costs me $200 that would have cost upwards of $10,000 in 1993) and nobody is really able to say "This Internet Thing Needs to Go" and not get laughed at.

It took me years and years to collect the textfiles on If people go to, they can download the entire collection in as little as a few hours. People are now trading half-gigabyte to multi-gigabyte files like they used to trade multi-megabyte MP3 files just a few years ago.

I really don't have any fear about it being crushed. Too many people know the secret of how wonderful this all is. It's a great time to be alive.
Astalavista : Thanks for the chat!
Interview with Kevin Townsend, Founder and Editor of

Originally taken for HiComm Magazine

Astalavista : How did you get interested in the Information Security field?

Kevin : More by accident than design. I had been a freelance IT journalist for many years - then we had a child that couldn't sleep. We went through many, many months of averaging just a couple of hours sleep each night - it played havoc with my freelancing; couldn't concentrate, couldn't write, couldn't meet deadlines... In the end I gave up and got a proper job. It was actually the first thing that came along, and was marketing manager with a software company that just happened to develop security software. But from then on I was hooked. Infosec is one of the most fascinating areas there is: good versus bad, light versus dark - the perpetual battlefield at an intellectual level without any blood.

Astalavista : Share your viewpoint on the constantly increasing malware problem issue, are we going to see another ILOVEYOU disaster in the near future?

Kevin : I'm sure there will be more malware all the time - and sooner or later, one of them will be dramatic and disastrous. My biggest fear for the Internet, however, is government intervention. Governments need control, and they fear lack of control. The weaker they are, the more they need to control - and the world has some mighty weak people in high office ATM. The Internet is a threat to their control. They need to control the Internet in order to control people. Consider this: we call a category of malware 'viruses'. We do so because they behave like biological viruses. If we continue that analogy, then the 'system' they attack (the Internet) equates to the human body.

Now, if a virus attacks a human, we react in several different ways. The 'traditional' method
(it isn't traditional at all; it's very recent) is to attack the virus with ever-stronger antibiotics, or even the surgeon's knife. But more and more of us are coming to the conclusion that this sort of 'quick fix' is no fix at all - all it does is weaken the immune system and encourage the virus to grow into ever stronger variants. The real solution is to strengthen the immune system so that the viruses are tackled and destroyed without causing any damage.

This analogy should be passed back to computer viruses. If governments over-react with increasing penalties and draconian actions (the surgeon's knife), we will weaken the Internet until it is just a pale shadow of the vibrant organism it should be - and we still won't ever get rid of the viruses. The real solution is to strengthen the Internet, not to emasculate it.

Astalavista : As far as ITSecurity is concerned, what are the major
threats companies and home users face on a daily basis and how can they be prevented?

Kevin : Well, by now you won't be surprised to know that I consider over-regulation to be the major threat for both business and home users. We are all rapidly transferring our personas to the cyber world, whether that is our business persona or individual persona. Once that is complete, whoever controls the cyber world will control all of us. Smart card ID cards will be able to track everything that everybody does - in fact; we won't be able to do anything without the cards. And if a domain name is withdrawn, individuals or entire companies will effectively disappear overnight. This is a far greater threat than another Lovebug.

Astalavista : In today's world of terror, how real do you think the danger of
Cyberterrorism is, like stock exchanges going down, corporate networks completely devastated by terrorist groups?

Kevin : I think that the danger exists, but is over-hyped. Attack analyses show that a large percentage of attacks against western (that is, American) utilities and banks come from a very small number of countries well known to be largely anti-American. I cannot believe that this is all done without their government knowledge - so the danger is very real. But just as there are some very clever people attacking systems, so there are some very, very clever people defending them.

Astalavista : What's your personal opinion on the US government's effort to monitor
its citizens' Internet activities, in order to protect them from potential terrorist attacks?

Kevin : It isn't, of course, just the US Government. I actually believe that the UK is already further down the line on this. Governments need to strike a balance between defending their people and enslaving their people. A recent poll of American CSOs by CSO magazine shows
that 31% of US business leaders believe that the USA is on the way to becoming a police state.
I think that most governments have failed to find the right balance - and I think the UK government has already put everything in place for a police state in the UK. I forget the precise words, but the comment that 'those who would give up freedom for security actually deserve
neither' is so very true.

Interview with Richard Menta

Astalavista : Hi Richard, I would appreciate if you introduce yourself and the web site you represent, namely

Rich : My name is Richard Menta. I work for an information security consulting firm in NJ called Icons, Inc where I serve as a consultant and as the editor of

About 90% of the Icons's clients are banks and credit unions. These institutions are heavily regulated regarding information security, yet despite this fact we found many of our clients needed much more education on the concepts of information security and the added threats and risks presented by technology. was developed to help fill this need by aggregating the latest news and information, covering both the technical and regulatory aspects of InfoSec.

Astalavista : What's the major difference between the security threats the financial sector is dealing with, compared with the general security ones?

Rich : Privacy is the biggest issues with regards to financial institutions. They are mandated by the Gramm-Leach-Bliley Act (GLBA) to protect what is called the non-public personal information (NPPI) of their customers. The biggest security threat comes from intruders looking to garner NPPI to facilitate identity theft. As the relationship of financial institutions with their customers is highly based on trust and mass identity theft undermines that trust, it is a critical issue to control the theft of customer information.

Astalavista : E-business wouldn't be profitable without E-commerce, what do you think are the major security problems E-shops face nowadays, how aware of the information security issue are the managers behind them, and what do you think can make a significant change in their mode of thinking?

Rich : The biggest security issue is the lack of awareness as a whole. A good information security strategy takes significant effort and financial commitment, but many senior managers are unaware of the full breadth of what information security covers. There is a lot to grasp too as information security is an every evolving discipline that has to rapidly change with the
changes in the threat environment.

Awareness is still an issue in the banking industry where there is a federal examiner coming in once a year to tell management what they need to do. The reason is because examiners have only been focused on information security since 2001 (when the agencies started to enforce GLBA) and they are still learning the ins and outs. It's improving, though, as examiners are visibly becoming savvier with time and communicating more to the banks.

Dramatic change in other industries is a bit more elusive as they have no such oversight as the banking industry does. Still, the Sarbanes-Oxley Act looks to drive better information security because a deficient security plan violates the due care requirements of the Act. As the act imposes criminal penalties for faulty compliance, there will be a lot more pressure once its tenets go into effect this fall.

Astalavista : Malicious software has always been trying to get hold of sensitive financial information, how significant do you think is the threat from worms like the Bizex one in future?

Rich : It is a significant problem as it goes back to the trust issue. All banks are adopting online banking, yet you have malicious code trying to take snapshots of your information as well as anyone else's who are in your address book.

The FDIC recently posted a mandate that banks must have a written patch management program consisting of several steps. The reason the agency did this is because they realized that poorly patched systems posed a severe threat and most financial institutions were doing an insufficient job with regards to patch activities. Right now, the great majority of banks are
highly susceptible to these worms, as are their average customers who rarely patch their home systems. Of course, even a great patch management program only goes so far, especially with zero day exploits.

Astalavista : Despite the latest technology improvements and the security measures put in place by companies, a major part of the Internet users are still afraid to use their credit card online, who should be blamed and most importantly, what do you think should be done to increase the number of online customers who want to purchase a good or services but feel secure while doing it?

Rich : Consumers are afraid for good reasons. How many prime trafficked sites have been broken? It is embarrassing, especially when it makes the national media. The latest technology improvements and security measures are good, but all merchants as a whole need to impose better security on their end. Those who don't improve measures will continue to undermine the efforts of those who do by perpetuating the insecurity that many patrons feel with regards to online shopping.

Again, it's a trust issue and there are a significant amount of consumers who don't trust typing their credit card number into their browser. The good news is that as security improves throughout online commerce consumer trust will rise.

Astalavista : What's your opinion on companies citing California's security breach disclosure law and notifying customers of a recent security breach?

Rich : Most companies can absorb any financial losses arising from a breach. It is the damage to their reputation that poses the greatest risk. What is more embarrassing than notifying your customers their information was compromised? Not only does the customer lose trust in the company, but such a disclosure inevitably becomes public and that can hinder the ability to draw new customers.

So why do I think this law is good? Because there is a general apathy among many organizations regarding their activities to properly protect their systems. Regulation has been the greatest motivator to improve security. In this case, forced disclosure is far more motivating than any fine.

Interview with Mr.Yowler,

Astalavista : Mr.Yowler, has been online since 1998, and is a well known community around the net. But there're still people unaware about it, can you please tell us something more about the main idea behind starting the site, and what inspired you the most?

MrYowler : Well, I didn't actually start the site; that was Pengo's doing. I actually joined when CyberArmy had about 37,000 members, and I worked my way up the ranks, first by completing the puzzles, and later by participating in the community as one of its leading members. I was first put in charge, back in 2002, and I bought the domain from Pengo, and completely took over, in late 2003.

CyberArmy is a community of 'hackers' of various skill levels and ethical colors. We focus primarily upon creating a peer environment in which 'hackers' can share information and ideas, and we accomplish that through our Zebulun puzzle and ranked forums, which serve to stratify discussion groups be comparative technical ability. We tend to focus on 'n00bs', largely because they are the group that has the most difficulty finding peer groups to become involved in, because they are the group that most often needs the technical and ethical guidance that CyberArmy provides, and because they are the group that is most receptive to this guidance.

I suppose that what I find most inspiring about the CyberArmy is its tendency to regulate itself. People who are interested in 'hacking hotmail' tend to gravitate together, and not pester people who are not interested in it, and when they don't, the community rapidly takes corrective action on its own. This is a model that I would like to see extend to the rest of the Internet; spammers and kiddie-porn dealers should be possible to identify and remove from the networks without the necessity to monitor *everyone's* email, through some regulatory or enforcement organization that is largely unrepresentative of the users that it is chartered to protect.

I like that CyberArmy gives its members a reason to *think* about social ethics, and to decide upon what they should be, rather than to simply accept what is established, without reasoning. I find that to be a fundamental failing of modern society - that we frequently simply accept law, as the determinant of social ethics, instead of requiring law to be guided by them. When people use *judgement*, rather than rely solely upon law, then people are much more likely to treat one another with fairness. Externally imposed rules are for people who lack the judgement skills to figure out how best to behave, without them. And most rules, today, are externally imposed. I believe that when people *think* about social ethics, it usually results in a moral fiber that is founded in an honest *belief* in the moral behavior that they come up with - and that this makes for infinitely better Internet citizens, than rules or laws that are supported only by a deterrent fear of reprisals. I think that such people usually come up with better behavior than the minimum standards that rules and law do, as well.

Astalavista : Cyberarmy runs a challenge - Zebulun, which happens to be a very popular one. How many people have already passed the challenge, and what are you trying to achieve with it besides motivating their brain cells?

MrYowler : About 200,000 people have participated in the Zebulun challenge, over the years, to one extent or another. Because the challenges are changed, over time (to discourage 'cheating', and to keep them challenging, during changing times), the definition of "passed the challenge" is somewhat variable. Approximately 300-400 people have completed all of the challenges that were available to them, to obtain the highest possible rank that one can reach, by solving the puzzles. That has traditionally been "Kernel" (the misspelling is an intentional pun) or "General", and it is presently "Kernel". At the moment, the Kernel puzzle seems to be too advanced, and will probably have to be changed. There are seven puzzles, and our intended target is that there should always be about a 2:1 ratio of players, from one rank to the next. This guarantees that the puzzles will be challenging to most players, without being discouraging.

Of course, we like encouraging people to learn. More importantly, I'm trying to get people to *think*. Anyone can become educated about technical systems; this only requires time and dedication to the task. And while that is an important think to do, it is already heavily stressed in schools, and throughout most societies and cultures. Smart people know a lot of things.

But this is not entirely true. Most smart people have come to realize that "knowledge is power" - but it is not the knowledge that makes them smart. As with static electricity, which is expressed only as voltage potential - until it strikes the ground as lightning - knowledge is not expressed as power, until someone *thinks*, and applies that knowledge to some useful purpose. Socrates was effectively an illiterate shoe-salesman (a cobbler), but he is considered a great philospher, because he took the little bit that he knew about the world, and *thought* about it. Not only that, but he convinced other to think about it, as well. Einstein was a mediocre mathematician and generally viewed as a quack, until his thinking was expressed in the form of nuclear energy. *Thought* is what separates the well-educated from the brilliant - and most successful 'hackers' rely much more upon *thought*, than upon an exhaustive understanding of the systems that they target. Not that having such knowledge isn't helpful... :)

I am trying to get people to *think* - not only about intrusion tactics, but also about defensive measures, motivations, risks, ethics, and about life in general. Too much of the world around us is taken for granted, and not questioned. Not thought about. I am trying to make the art of questioning and *thinking*, into a larger part of people's lifestyles.

Astalavista : How did the infosec industry evolved based on your observations since 1998? Is it getting worse? What are the main reasons behind it? Crappy software or the end users' lack of awareness?

MrYowler : In its early years, the infosec industry was largely dominated by the mavericks - as is true with most developing industries. A few people dominated the profession, with their independence - it gave them the freedom to tell the business world how things should be, and to walk away, if the business world was unwilling to comply. Today, we see less of that, and
while the industry is still largely dominated by such people, the majority of people whose job is to implement system security, are much more constrained by resource limitations.

Essentially, there are two groups of people in the defensive side of this industry; the policy-makers and the implementors. Policy-makers are usually corporate executives, CISOs, legislators, consultants, or otherwise figures of comparative authority, whose job it is to find out what is wrong with system security, and to come up with ideas about how to fix it. Implementors are usually the ones who are tasked with implementing these ideas, and they are usually system or network administrators, programmers, security guards, or otherwise people whose influence on things such as budget and staff allocation, is insignificant. As a rule, the policy-makers make a great deal of money, establishing policies that they have very little part in implementing, and often these policies have a significant impact upon the work loads and environments of implementors.

It is all well and good, for example, to decide that there will be no more use of instant messenger software in the workplace. Stopping it from occurring, however... while remotely possible, by employing purely technical measures, it is certainly not desireable or inexpensive. Even monitoring for it can require staff resources which are rarely allocated for the task, and the effect of draconian security measures - or penalties for non-compliance - is usually much more damaging to workplace productivity than the instant messengers ever were. For some reason, policy-makers have abandoned the basic principle of system design; "involve the user" - and
have limited themselves to requiring the support of executive management. Security policy is surprisingly cheaper, faster, and easier to achieve compliance with, when is also has the support of the rank-and-file members of an organization - and not the kind of support that is achieved putting a professional gun to their heads, by requiring people to sign compliance agreements. Rather, the support that is achieved by giving the employees a sense of personal investment in the security of the system. User awareness is fairly easy to achieve, although users will tend to disclaim it, when caught in a violation or compromise. Creating accountability documents, such as security policy compliance agreements, may combat these disclaimers; but the most truly effective approach is not to just tell the users and demand compliance - but to give the users a voice in it, and the desire to strive for it. In many cases, the users have excellent ideas about areas where system security falls down - and similarly excellent ideas about how to fix it.

Policy-makers have to bridge the gap between themselves and implementors, or security will always be 'that pain-in-the-ass policy' which people are trying to find ways to work around. And instead of the draconian Hand of God, which appears only so that it can smite you down; security needs to become the supportive freind that you can always pick up the phone and talk
to, when you have a question or a problem.

That having been said, there is another problem with modern security practices, that is worth giving some attention to...

Because security has traditionally been sold to organizations, as a way to prevent losses that result from security compromises, these organizations have begun to assign values to these compromises, and these values determine the extent to which these organizations will go, to prevent them. While perfectly reasonable and sensible from a business perspective, these values are determined largely by educated guessing, and the value of a compromise can be highly subjective, depending upon who is making the assessment.

Remember - if your credit information gets into the hands of someone who uses it to print checks with your name on them, you could spend years trying to straighten out your credit with the merchants who accept these checks. It can impact your mortgage interest rates, or prevent you from getting a mortgage, at all - and it can force you to carry cash, in amounts that may
place you in considerable personal danger. The organization which pulls a credit report on you, to obtain this information, however, stands very little to lose from its compromise, since you are unlikely to ever determine, much less be able to prove, that they were the source of the
compromise. So, what motivates them to guarantee that all credit report information is properly protected, destroyed and disposed of? What's to stop them from simply throwing it in the garbage? And what happens to it, if they go out of business, or are bought out by some other company? To what extent do they verify that their employees are trustworthy?

*This* is typically where security falls down. Remember; security is the art of protecting *yourself* from harm - not necessarily your customers, your marketing prospects, or anyone else. As a result, most of the effort to secure systems, goes into protecting the interests of the people who *operate* those systems - and not necessarily the users of them, or the data
points that they contain information about. In many cases, legal disclaimers and transfers of liability replace actual protective countermeasures, when it comes to protecting things that *you* care about - and in still other cases, a lack accountability suffices to make an
organization willing to take a chance with your security, out of a commercial interest in doing so. Marketing entities often openly sell your information, or sell the use of your information to market things to you, and make no bones about doing so - after all, it's not their loss, if your
information gets misused - it's yours.

This is a fundamental problem in information security, and for many of us it costs our personal freedom. The government needs access to all of our emails, without the requirement to notify us or get a warrant to access the information, because we might be drug dealers or child molestors. And I worry that some child molestor will gain access to the information, through
the channels that are made available to government. stores our credit information, in order to make is easier for us to buy books through them, in the future - and I worry that all someone needs is the password to my account, to start ordering books on my credit card. Every time that I fill out an application for employment, I am giving some filing
clerk access to all the information required, to assume my identity. That information is worth a great deal, to me - how much is it worth, to them? Enough to pay for a locking cabinet, to put it into? Enough to put it into a locked office? Enough to alarm the door? Enough the get a guard to protect the facility in which it is stored? Enough to arm the guard? Enough to adequately shred and destroy the information, when they dispose of it? Enough to conduct criminal background investigations on anyone that has access to the information? Or do they just get some general corporate liability insurance, and figure that it's an unlikely-enough circumstance,
that even if it happens, and I'm able to trace it back to them, and make it stick, in court, that it's worth the risk of a nuisance libility lawsuit?

At its core, information security is failing, for at least these two reasons: 1) for all the talk that goes on, very little on the way of actual resources are devoted to information security; and, 2) people and organizations usually show comparatively little interest in anyone's security but their own.

Astalavista : Mr.Yowler, lately we've seen an enormous flood of worms in the wild,
what do you think is the reason?

MrYowler : Firstly, these worms exploit errors in upper-layer protocols of networks and
network applications. Because network applications are proliferating at an ever-increasing rate, the possible ways to exploit them are also increasing at this geometric rate - and people who are interested in exploiting them, therefore have more things to work with.

Secondly, there is a glut of information technology talent in the United States, perhaps thanks, in part to the collapse of the Internet economy - and also, in part, thanks to the rush to outsource technology jobs to overseas entities. Additionally, third-world countries have been developing
technical talent for some years, now, in an effort to become competitive in this rapidly-growing outsourcing market. This has created an evironment where technical talent is plentiful and cheap - and often disenfranchised.

In some cases, these worms are written by kids, with nothing better to do - and that has always been a problem, which has grown in a linear way, as more and more advanced technical education has begun to become available to younger and younger students.

In other cases, this is the technical equivalent of "going postal", in which a disenfranchised technology worker creates a malicious product, either as a form of vengance, of in the hope of creating a need for his own technical talents, as a researcher of considerable talent, with regard to the worm in question. Surprisingly many people who might otherwise never find work in
the technical or security industries, are able to do so, by making a name for themselves through criminal activity or other malicious behavior. While demonstrating questionable ethics, it also demonstrates technical talent, and the noteriety is sometimes more valuable to a company, than the damage that they risk by hiring someone whose ethics are questionable. Many people
are employed or sponsored in the lecture circuit, for this reason; they did something that bought them noteriety - good or bad - and their employer/s figure that they can benefit from the noteriety, without risking a lot of possible damage, by putting these people on the lecture circuit.

In an increasing number of cases, these disenfranchised technology workers are actually employed for the specific purpose of creating malware, by spyware, adware, and spam organizations, as I will cover in the next question. When one is forced to choose between one's ethics and feeding one's children, ethics are generally viewed as a luxury that one can no
longer afford. I, myself, am currently under contract to a spammer, since I am now approximately two weeks from homelessness, and better offers have not been forthcoming. I'm writing an application which will disguise a process which sends out spam, as something benign, in the process listing, on what are presumably compromised *nix hosts. The work will buy me approximately one more week of living indoors, which is really not enough to justify the
evil of it, but I am in no position to refuse work, regardless of the employer. And indeed, if I did not accept the contract, and cheaply, then it is quite likely that someone from a third-world country would have done so - and probably much more cheaply than I did.

Astalavista : Recently, spammers and spyware creators started using 0-day browser
bugs, in order to disseminate themselves in ways we didn't consider serious several months ago. Did they get smarter and finally realize the advantages or a 0-day exploit, compared to those of an outdated and poisoned e-mail databse?

MrYowler : As indicated in the previous question, spam, spyware and adware organizations are beginning to leverage the fact that there is now a glut of technical talent available on the world market, and some of it can be had, very cheaply. These organizations have been taking advantage of technical staff that could not find better work for a long time. As more people who
possess these talents, find themselves unable to sustain a living in the professional world; they are increasingly likely to turn to the growing professional underground.

Employment in the security industry is no longer premised on talent, ability, education, skill, or professional credentials, and there are essentially three markets that are increasingly reachable, for the malware professional world. 1) Third-world nations with strong technical educational programs are simply screaming for more of this sort of comparatively lucrative work to do. 2) Young people who lack the age or credentials to get picked up professionally, by the more respectable organizations, often crave the opportunity to put 'hacking' skills, developed in earlier years, to professional use. 3) Older technology workers, finding it difficult to find work in a market dominated by under-30-year-old people, often have large mortgages to pay, and children to put through college, and are willing to take whatever work they can find - if not to solve their financial problems, then perhaps to tide them over until a better solution presents itself.

It's not so much that spam, spyware, and adware marketers have become smarter, as it is that greater technical talent has become available to them. The same people who used to develop and use blacklists, and filter spam based upon header information for ISPs that have since gone bankrupt or been bought out, are now writing worms that mine email client databases, to
extract names and addresses, and then use this, combined with email client configuration information, to send spam out from the user's host that the addresses were mined from. They are using the user's own name and email address, to spoof the sender - even using the SMTP server provided to the victim, by their ISP, to deliver the mail. This effectively permits them to
relay through servers that are not open relays, and distributing the traffic widely enough to stay under the spam-filtering radar of the sending ISPs, and to evade the blacklisting employed by the recieving ISPs. It also permits them to leverage the victim's relationship to the recipients of the spam, in order to get them to open and read it - and sometimes, to get them to open attachments, or otherwise infect themselves with the worm that was used to reach them. The spammers have not previously been able to hire talent of this grade, very often - now, this talent is often not only available, but often desperate for cash, and therefore willing to work cheap.

It's a bit like an arms race. In the rush to develop enough technical talent to defend against this sort of thing, we have developed an over-abundance of talent in the area - and that talent is now being hired to work against us. This will presumably force people to work even harder at developing coutnermeasures, and repeat the cycle. Assuming, of course, that the threat is taken seriously enough by the public, to keep the arms race going. After all - once everybody has enough nuclear weapons to destroy all the life on Earth, then there isn't much point in striving to build more. You just have to learn to deal with the constant threat of extinction, and try
not to take it too seriously - since there isn't really anything to be done about it, any more. We seem to be rapidly approaching this mentality, with regard to malware.

Astalavista : What is your opinion on ISPs that upgrade their customers' Internet connections for free, while not providing them with enhanced security measures in place? To put it in another way, what do you think is going to happen when there're more and more novice ADSL users around the globe, who don't have a clue about what is actually going on?

MrYowler : This comes back around to the second point, with regard to the problems of
information security, today. People have little interest in anyone's security but their own.

The ISPs *could* block all outgoing traffic on port 25, unless it is destined for the ISPs SMTP servers - and then rate-limit delivery of email from each user, based upon login (or in the case of unauthenticated broadband, by IP address). This is a measure that would have effectively
prevented both the desktop server and open relay tactics that I described in my paper, "Bulk Email Transmission Tactics", about four years ago, and it would severely constrain the flow of spam from zombie hosts in these user networks. The problem is that they don't care. They only care when the spam is *incoming*, and then they can point fingers about how uncaring someone else is. The same holds true for individual users.

It is neither difficult nor expensive to implement a simple broadband router, to block most incoming traffic which would be likely to infect user hardware with malware. It is also not difficult or expensive to implement auto-updating virus protection, spyware/adware detection/removal, and software patching. It could be done even more cheaply, if ISPs were to
aggregate the costs, for all of their users, and buy service contracts for this kind of protection, in bulk, for their users, and pass the cost along as part of the 'upgraded' service. Unfortunately, the nominal cost of doing so, would have to be borne by users who do not take the threat seriously, and who only care about the threat, when it has a noticeable impact on them. Since many of the malware packages are designed *not* to have a noticeable impact on the user - using them essentially as a reflection, relay, or low-rate DDoS platform, or quietly extracting data from their systems which will be abused in ways not directly traceable to their computer - these users to not perceive the threat to be real, and are therefore unwilling to invest - even nominally - in protecting themselves from it. ISPs are not willing to absorb these costs, and they are not willing to risk becoming uncompetitive, by passing costs on to their subscribers; so they pay lip service to questions of security and antispam service, and perform only the most minimal tasks, to support their marketing claims.

As with most organizations, the security of the organization itself, lies at the focus of their security policies. The security of subscribers, other network providers, or other Internet users in general, is something that they go to some trouble to create the perception that they care about, but when the time comes to put their money where their mouths are, it's just not happening.

Astalavista : Thanks for your time.

MrYowler : Any time... :-P
Interview with a core founder of

Dancho : Hi Prozac, - the underground has been one of the most popular and well known hacking/security/cracks related web site in the world since 1997. How did it all start? What was the idea behind it?

Prozac : Basically, it was me and a college friend that started during our student years. The name of the site came from the movie Terminator 2 from Schwarzenegger's line " Hasta la vista Baby"! Back in those days there weren't many qualified security related web sites, and we spotted a good opportunity to develop something unique, which quickly turned into one of the most popular hacking/security sites around the globe. In the beginning, it was just our Underground Search List, the most comprehensive and up-to-date search list of underground and security related web sites, based on what we define as a quality site. Then we started providing direct search opportunities and started developing the rest of the site. Many people think we did some serious brainstorming before starting Astalavista, well, we did, but we hadn't expected it to become such a popular and well known site, which is the perfect moment to say thanks to all of you who made us as popular as we're today.

Dancho : always provides up to date, sometimes "underground" documents/programs. The Security Directory is growing daily as well, and it has been like this for the past several years. How do you manage to keep such an archive always online, and up to date?

Prozac : Astalavista's team members are aware of what's "hot" and what's interesting for our visitors, just because we pay an enormous attention to their requests for security knowledge, and try to maintain a certain standard, only quality files. While we add files every day, a large number of those are submitted by our visitors themselves, who find their programs and papers highly valued at our site, as we give them the opportunity to see how many people have downloaded their stuff.

Dancho : Astalavista occupies people's minds as the underground search engine. But what is all about?

Prozac : The majority of people still think is a Crack web site, which is NOT true at all. is about spreading secutity knowledge, about providing professionals with what they're looking for, about educating the average Internet user on various security issues; basically we try to create a very well segmented portal where everyone will be able to find his/her place. We realize the fact that we're visited by novice, advanced and highly advanced users, even government bodies; that's why we try to satisfy everyone with the files and resources we have and help everyone find precious information at Although we sometimes list public files, the exposure they get through our site is always impressing for the author, while on the other hand, some of the files that are listed at sometimes appear for the first time at our site. We try not to emphasize on the number of files, but on their quality and uniqueness.

Dancho : Everyone knows Astalavista, and sooner or later everyone visits the site. How did the image of Asta become so well-known around the world?

Prozac : Indeed, we are getting more and more visitors every month, even from countries we didn't expect. What we think is important is the quality of the site, the lack of porn, the pure knowledge provided in the most professional and useful way, the free nature of the site, created "for the people", instead of getting it as commercial as possible. Yes, we work with a large number of advertisers, however, we believe to have come to a model where everyone's happy, advertisers for getting what they're paying for, and users for not being attacked by adware or spyware or a large number of banners.

Dancho : A question everyone's asking all the time - is illegal?

Prozac : No! And this is an endless debate which can be compared to the Full Disclosure one. We live in the 21st century, a single file can be made public in a matter of seconds, then it's up to the whole world to decide what to do with the information inside. We're often blamed because we're too popular and the files get too much exposure. We're often blamed for serving these files to script-kiddies etc. Following these thoughts, I think we might also ask, is Google illegal, or is Google's cache illegal?! Yes, we might publish certain files, but we'll never publish "The Complete Novice Users on HOWTO ShutDown the Internet using 20 lines VB code". And no, we don't host any cracks or warez files, and will never do.

Dancho : Such a popular secutity site should establish a level of social responsibility - given the fact how popular it is among the world, are you aware of this fact, or basically it's just your mission that guides you?

Prozac : We're aware of this fact, and we keep it in mind when appoving or adding new content to the site. We also realize that we still get a large number of "first time visitors", some of them highly unaware of what the security world is all about; and we try to educate them as well. And no, we're not tempted by "advertising agencies" eager to place adware/spyware at the site, or
users submitting backdoored files, and we have a strict policy on how to deal with those - "you're not welcome at the site"!

Dancho : We saw a completely new and "too professional to be true" since the beginning of 2004 - what made you renovate the whole site, and its mission to a certain extend?

Prozac : It was time to change our mission in order to keep ourselves alive, and most importantly, increase the number and quality of our visitors, and we did so by finding several more people joining the team, closely working together to improve and popularize the site. We no longer want to be defined as script kiddies paradise, but as a respected security portal with its own viewpoint in the security world.

Dancho : What should we expect from in the near future?

Prozac : To put it in two words - changes and improvements. We seek quality and innovation, and have in mind that these developed by us, have an impact on a large number of people - you, our visitors. Namely because of you we're devoted to continue to develop the site, and increase the number of services offered for free, while on the other hand provide those having some
sort of purchasing power and trusting us with more quality services and products.

Dancho : Thanks for the chat!

Prozac : You're more than welcome :)

Interview with Candid Wuest,

Astalavista : Candid, would you, please, introduce yourself to our readers and tell us more about your background in the security industry?

Candid : Well, my name is Candid and I have been working in the computer security field for several years now, performing different duties for different companies. For example, IBM Security Research and Symantec to name the most known ones. I got a master degree in computer science but, in my opinion, in this business curiosity is the main thing that matters.

Astalavista : What do you think has had a major impact on the popularity of malware in recent years? Is it the easiness of coding a worm/trojan or the fact that the authors don't get caught?

Candid : Why do people code worms? Because they can?

The first point I would like to mention here is the growth of the Internet as a whole in the last years. More people getting a system and more people getting broadband access means more people are exposed to the risks. You may say the fish tank has grown over the years; therefore it is clear that there is now also more space for sharks in it.

I think the few people which where caught have scared some and stopped them from doing the same, but the media hype they have caused has for sure attracted new ones to get started with the whole idea. So this might balance out even and these were mostly smaller fishes, which didn’t take enough precautions.

Another point to mention is that it is really easy to download a source code and create your own malware and it is getting easier every day. There are many bulletin boards out there with fast growing communities helping each other in developing new methods for malware or simply sharing their newest creations.

When recalling the last hundreds of worms we saw in the wild for the last time, most of them were similar and much alike. Nearly no direct destructive payload and not much innovation in regards to the used methods. Just a mass mailer here or an IRC bot there.

That’s why I think the motivation is a mixture of the easiness of doing so and the mental kick suggested from the media, which pushes the bad underground hacker image. (Even though the media uses the term hacker seldom correctly in its original meaning.) This seems to motivate many to code malware: just because they can.

In the future money might become a new motivation for malware writers, when industrial parties get involved in it.

Astalavista : Where's the gap between worms in the wild and the large number of infected computers? Who has more responsiblity, the system administrators capable of stopping the threat at the server level, or the large number of people who don't know how to protect themsvels properly?

Candid : As we all should know 100% security will never be reached, regardless of what the sysadmin and the end user do. A good example for this is the recent issue with the JPEG and TIFF malware, which sneaked through many filters.

In my opinion the sysadmins have the easier task, as they can enforce their restriction; often it’s just a question of having the time to do it properly. Don’t get me wrong here. I know the whole patching issue may be quite a pain sometimes. Of course, they have all the users and the
management complaining if the restrictions are (too) tight but that’s how it works, right :- )

Therefore I think often it is the end user who has not enough protection or simply does not care enough about it. Many users still think that no one will aim at them, as they are not an interesting target, but DDoS attacks for example do exactly target such a user. Of course, many end users don’t have the possibilities of a sysadmin. In general, it comes down to an AntiVirus and a personal firewall application, which still leaves enough space for intruders to slip through.

So, as always, it should be a combination of an ISP, a sysadmin and an end user working together to protect themselves.

Astalavista : We've recently seen a DDoS mafia, something that is happening even now. What is the most appropriate solution to fight these? Do you think this concept is going to evolve in time?

Candid : DDoS attacks are quite hard to counter if they are performed in a clever way. I have seen concepts for which I haven’t seen a working solution yet. Some can be countered by load balancing and traffic shaping or by simply changing the IP address if it was hard coded. More promising would be if you could prevent the DDoS nets from being created, but this goes back to question number three.

Astalavista : Have you seen malware used for e-spionage, and do you think it's the next trend in the field?

Candid : This is nothing new; malware has been used for industrial e-spionage for years. Usually, it just isn't that well known as those attacks might never get noticed or admitted in public. I have seen plenty of such attacks over the last years. This for sure will increase in time as more business relevant data gets stored in vulnerable environments. In some sort you could even call phishing an art of espionage. But I think the next big increase will be in the adware & spyware filed where malware authors will start getting hired to write those applications as
it already happens today. Or are you sure that your favourite application is not sending an encoded DNS request back somewhere?

Interview with Anthony Aykut,Frame4 Security Systems

Astalavista : Anthony, would you please tell us something more about your experience in the InfoSec industry, and what is Frame4 Security Systems all about?

Anthony : Sure. I guess I am what you would primarily call a "security enthusiast", with what I came to see as "a keen sense of security business enthusiasm". Actively following the Trojan/Virus community since my teens in the late-1980's, I have been working in the IT industry since the early 90's, though up until 2002 I have never felt the need to follow the IT security path. Let's just say that a certain chain of events made me "fall" into it :-)) ... and that is when I decided to start Frame4 Security Systems.

Frame4 Security Systems is a small IT-Security company based in the Netherlands. We offer the usual "out-of-the-box" professional security services (security audits, pen-testing, etc.), but we especially pride ourselves on our outstanding security awareness programs (seminars and
courses), exceptional service, and our upcoming "ProjectX Security Knowledgebase". I really feel that we are on an unique playing-field with Frame4; whereas big (and often expensive) consultancies are primarily focused on big companies/contracts, bottom line figures and dead-lines - often the Security Awareness on a personal (employee) level gets often overlooked. This creates a well-known security gap that gets exploited more and more often, rendering the million-dollar security solution back in the server-room absolutely useless. I have personally seen good examples of this within big companies -- and it is therefore we let the big boys do what they are good at by providing solid, proven solutions, whereas we have the unique opportunity of "fighting the disease from inside-out".

Astalavista : "Internet privacy", do these words still exist in your opinion?

Anthony : To a large extent (and unfortunately), no. But I guess this was to be expected with millions of people pumping their personal data into online databases and keeping information on their PCs. It is an open field, with little or no control or control structure. Let's face it, (personal) information and data is big business, and people will do absolutely anything from hacking databases to infecting people with spyware/trojans to extract that information. And in some cases, custodians of personal information have just made it way too easy for other (unauthorised) people to gain access to private data. I guess that's when the finger-pointing started :-)

But on a more serious note, I have friends who are so paranoid that they only surf the net behind a wall of proxies and anonymizers, under false/assumed names and identities. Me, I am just careful; I think when people have a basic online awareness level, and know what to look out for, it is no more a threat to your information than, say, putting your garbage outside and someone going through it (a.k.a. dumpster diving).

Astalavista : We have recently seen a large number of DDoS extortion schemes, whereas certain companies comply behind the curtains, should we consider every E-business site that goes down a victim of extortion schemes? What do you think a company should do in a situation like this?

Anthony : I personally think that "head-in-the-sand" ostrich attitude is completely wrong; pay once to one extortionist, and a dozen others will line up to grab that easy cash. I don't think you should comply and give in to any of these demands (I prefer to call them threats) but come out with it in the open and track down the perpetrators if possible. Openness, like some companies have chosen, may possibly dent your corporate identity on a temporary basis, but also takes away the power of the extortionist. We have seen that this approach is the lesser of two evils in general, especially true if your business does not depend on a internet presence per se.

Astalavista : In today's world of "yet another worm in the wild", what do you think are the main consequences for this cycle, and what do you think should be done in order to prevent it?

Anthony : Well, I am pretty clear on that. As long as publicly/privately available source-code floats around the web, not much can be done - unless the AV vendors come up with better technologies. It really is up to them to come up with better and improved techniques to protect our systems - more and more the current AV technology is showing that it is getting out-dated by being circumvented in many ways. I am more than aware that it is difficult to "protect against the unknown", but I just know there should be more. Maybe AV vendors should float a bit more within the "community" to gain awareness

To be honest, with the advent of other malware, such as Trojans, Sniffers, Keyloggers and Spyware to name a few and many interesting technologies such as Firewall-Bypassing, etc. it is getting more and more obvious that we need an "All Comprehensive Malware Solution" than just a pattern based AV system. It just ain't cutting it anymore. Until then, keep up your defences and update those virus patterns on a daily basis!

Astalavista : The threat and actual infections with spyware opened up an entire market for anti-spyware related services and products, whereas millions of people out there are still infected, and some are even unaware of it. What is your opinion on the recent government regulations targeting spyware vendors, but allowing "spy agencies" to use spyware? What do you think is going to happen on the spyware scene in the next couple of years?

Anthony : Well, as I pointed out in your previous question, I tend to see Spyware almost in the same category as Trojans, Viruses and other malware. Subsequently I think things are going to get (much) worse before they (I hope, eventually) get better, and it is going to take some considerable changes in AV technology for one (along with our ways of thinking) to ensure people will not take advantage of these technologies to the disadvantage of others.

Currently things are not looking too good: governments have proven that we cannot trust their ineffective and inevitably slow schemes and until better/additional technologies are invented to bolster our AV defences, we are pretty much sitting duck targets. This has been proven yet again with the recent "hijacking" of 1000's of zombie/drone PCs to perform DDoS attacks, etc. So it is really up to the individuals to get at least some basic security measures up and running, and there are plenty of reputable web-sites out there to provide all the information one needs to secure themselves well.

Astalavista : Thanks for your time.

Anthony : No problem!

Interview with Dave Wreski,

Astalavista : Dave, tell us something more about your background in the InfoSec industry and what is all about?

Dave : I have been a long-time Linux enthusiast, using it before version v1.0 on my 386DX40 home PC, which prompted me to dump Windows shortly thereafter and I've never looked back.
In early 1993 I began to realize the tremendous value that Linux could bring to the security issues I was facing. I found the decisions I was making, with regard to managing computer systems, were more and more based on the impact security had on the data residing on those systems. It's certainly more challenging to keep the bad guys out than it is the other way round - the bad guys have to only be right once, while the good guys have to always make the right decisions. So I created a company to help ensure the good guys had the tools necessary to make the most effective options to keep their networks secure.

The void in comprehensive information on security in the Linux space was the primary reason I started in 1996. Since then, we have seen millions of visitors make it their primary information resource. In fact, we're completely revamping the site with new features, greater functionality and a whole new look -launching December 1st.

Astalavista : What was the most important trend in the open-source security scene during the last couple of years,in your opinion?

Dave : Actually, there have been so many that it's difficult to focus on any one in particular. Certainly, the adoption of open standards by many vendors and organizations makes it much easier to communicate between disparate systems securely. The maturity of the OpenSSH/OpenSSL projects, IPsec, and even packet filtering has enabled companies, including Guardian Digital, to create solutions to Internet security issues equal to, or better than, their proprietary counterparts.

Astalavista : The monopolism of Microsoft in terms of owning more than 95% of the desktops in the world has resulted in a lot of debates on how insecure the whole Internet is because of their insecure software. Whereas my personal opinion is that if Red Had had 95% of the desktop market, the effect would be the same. Do you think their software is indeed insecure, or it happens to be the one most targeted by hackers?

Dave : I think the mass-market Linux vendors try to develop a product that's going to provide the largest numbers of features, while sacraficing security in the process. They have to appeal to the lowest common denominator, and if that means delivering a particular service that is requested by their customers, then much of the responsibility of security falls on the consumer, who may or may not be aware of the implications of not maintaining a secure system, and in all likelihood, do not possess the ability to manage the security of their system.

Astalavista : The appearance of Gmail and Google Desktop had a great impact on the privacy concerns of everyone, however these expanditures by Google happened to be very successful. Do you think there's really a privacy concern about Google, their services and privacy policy, and, most importantly, the future of the company?

Dave : No, not really. I actually think that most of us gave up our privacy years ago, and any privacy that remains is only in perception. There's far more damage that could be done
through things like the United States Patriot Act than there is through Google reading your general communications. Anyone who has half a brain and wants to make sure their communications are not intercepted is using cryptography for electronic issues.

Astalavista : We've recently seen an enormous increase of phishing attacks, some of which are very successful. What caused this in your opinion? What is the way to limit these from your point of view?

Dave : Reduce the human factor involvement somehow. Phishing is just the new "cyber" term for social engineering, which has existed forever. Through the efforts of Guardian Digital, and other companies concerned about the privacy and security of their customers' data, we are making great strides towards user education, and providing tools for administrators to filter commnications.

Astalavista : Spyware is another major problem that created an industry of companies fighing it, and while the government is slowly progressing on the issue, the majority of PCs online are infected by spyware. Would you, please, share your comments on the topic?

Dave : This issue is different from issues such as phishing because the end-user is not aware is it occurring. The responsibility here falls directly on the operating system vendor to produce an
environment where security is maintained. In other words, by creating software that enables the end-user to better define what constitutes authorized access, users can develop a situation where this type of attack does not succeed. In the meantime, application-level security filters and strict corporate information policies thwart many of these types of attacks.

Astalavista : What do you think will happen in the near future with Linux vs. Microsoft? Shall we witness more Linux desktops, or entire countries will be renovating their infrastructure with
Unix-based operating systems?

Dave : We are already seeing a growing trend on an international level in the migration from Windows operating systems to Linux. Guardian Digital has implemented several Linux-based solutions for multi-national and international corporations who recognize the costs and security risks associated with a Windows system, and if our business is any indication of the growth potential, I'd say Microsoft is going to have a real fight on their hands.

Although I'm not too involved in the desktop space itself, I am completely comfortable with my cobbled-together Linux desktop, much more than just a few years ago. I think that as more
and more computing tasks become distributed - moved from the desktop to being powered by a central server - it will become easier to rely on Linux on the desktop and the growth will continue.

Interview with Mitchell Rowton,

Astalavista : Hello Mitchell, would you please tell us something more about your background in the information security industry, and what is all about?

Mitchell : I joined the US Marine Corps after high school. There I worked a helpdesk for a year or so before moving on to being a server administrator. After a while I became more and more interested in the networking side of things (switches and routers.) Firewalls weren't used that often back then, and one day I was asked to put up an access-control list (ACL) on our borderrouter. After that I started getting more and more security responsibility. When I left the Marine Corps I used my security clearance to get a job as a DoD contractor, then a contractor in the health care industry.

By this time in my life I had a wife and kids. So I took a job that was more stable and didn't have as much travel closer to home. When I think back, this is probably when the idea behind was born. While I was leaving one job and going to another I was told to do a very in depth turnover about starting an incident response team at the company. So how do you explain how to start an incident response team at a fortune 500 company in a turnover document? After a while I gave up and put several dozen links to white papers that discuss starting an incident response team.

Basically that's what is - a collection of security white papers that are organized into categories so that it's easy for someone to learn any particular area.

Astalavista : The media and a large number of privacy concious experts keep targeting Google and how unseriously the company is taking the privacy concerns of its users. What is your opinion on that? Do you think a public company such as Google should keep to its one-page privacy policy and contradictive statements given the fact that it's the world's most popular
search engine?

Mitchell : I should start off by saying that my company makes money through Google's Adsense program. That being said, it seems like most of the media hoopla surrounding Google privacy has centered around gmail and desktop search. I just don't see a problem with either of these issues. I signed up for gmail knowing that I would see targeted text ads based on the content of e-mail that I was viewing.

And I know that Google is going to learn some general stuff about everyones desktop searching habits. They will know that pdf's are searched for more often than spreadsheets and other non-specific information. None of which is personally identifiable.

Astalavista : Phishing attacks are on the rise, each and every month we see an increasing number of new emails targeting new companies. What do you think of the recent exploit of the SunTrust bank web site? Are users really falling victims to these attacks or even worse, they're getting even more scared to shop online?

Mitchell : The blame in this specific case falls mostly with the bank, but also on the users. I can't remember the last time my bank asked me for my atm or credit card number on a non-secure page. That being said, I know that my grand mother would probably fall for this. Sure users should check for SSL Certificates and use common sense. But more importantly financial institutions should not allow cross site scripting or malicious scripting injections.

If this type of phishing continues to rise then I imagine it will make the average user a little more worried about giving information online. This is bad for companies, but as a security guy, I think that most users should be more worried about who they give their information to. There are a lot of phishing attacks that have nothing to do with the institutions. In cases like this, users must use some basic security common sense or risk getting scammed.

Astalavista : What used to be a worm in wild launched by a 15 years old kid or hactivist, has recently turned into "DDoS services on demand", what do you think made this possible? Is it the unemployed authors themselves, the real criminals realizing the potential of the Internet, or the unethical competition?

Mitchell : I'm sure it's a combination of all three. But it's also getting more popular because it hurts more today than it used to. Five years ago an organizations web site was usually little more than an online brochure that wasn't too important in the scheme of things. Today their website is probably tightly integrated into their business model, and will cause a large financial and reputation loss if it is compromised or unusable.

The first step in doing a security assessment is to determine what's really important. Most companies should realize that having the same security mechanisms in place that they had three years ago is putting them more and more at risk because these security mechanisms are protecting information that gets more important every day.

Astalavista : Recently, the FBI has been questioning Fyodor, the author of NMAP over accessing server logs from Do you think these actions, legal or not, can have any future implications on the users's privacy at other web sites? I mean, next it could be any site believed to be visited by a criminal, and besides all how useful this information might be in an investigation?

Mitchell : I had a mixed reaction when I first read about this. But I must say that Fyodor handled this superbly. He sent an e-mail out telling people what was happening and explaining that he was only complying with properly served subpoenas. He also puts things into perspective. If someone hacks into a server and downloads nmap at a specific time, then perhaps law enforcement should be able to view the nmap server logs for that specific time. On the other hand what if I were also downloading NMap at that time? I personally wouldn't care if anyone knows that I download nmap, but I can also understand why other people would be bothered by this. Overall I agree with very narrow subpoenas directed at specific time periods and source IP's.