Thursday, January 26, 2006

Security Interviews 2004/2005 - Part 2

Part 2 includes :
11. Eric (SnakeByte)http://www.snake-basket.de/ - 2005
12. Björn Andreassonhttp://www.warindustries.com/ - 2005
13. Bruce - http://www.dallascon.com/ - 2005
14. Nikolay Nedyalkov - http://www.iseca.org/ - 2005
15. Roman Polesek - http://www.hakin9.org/en/ - 2005
16. John Young - http://www.cryptome.org/ - 2005

Go through Part 1 and Part 3 as well!

Part of Asta's Security Newsletter---------------------------
Interview with SnakeByte (Eric), http://www.snake-basket.de/

Astalavista : Hi Eric, would you please introduce yourself to our readers and share your experience in the security scene?

Eric : I am 24 years old, currently studying computer science in Darmstadt, Germany for quite some time now. I am mostly a lazy guy, doing whatever I am currently interested in. My interest in computer security started with viruses ( no, I never spreaded one ), which were really interesting back then, but nowadays every worm looks the same;(

Astalavista : Things have changed much since the days of Webfringe, Progenic, BlackCode etc. What do you think are the main threats to security these days? Is it our dependece on technologies and the Internet the fact that it's insecure by design or you might have something else in mind?

Eric : I think security itself got a lot better since then but we have more dumb users who work hard to make it worse now. Most users nowadays get flooded with viruses and just click them,
also the recent rise in phishing attacks - it's not the box which gets attacked here, it's the user. Security also got a lot more commercial.

Astalavista : What is your opinion on today's malware and virii scene? Do you think that groups such as the infamous A29 have been gaining too much publicity? What do you think motivates virii writers and virii groups now in comparison to a couple of years ago?

Eric : It's 29a :) And they deserve the publicity they got. They did and are doing some really cool stuff. But they also were clever enough to be responsible with the stuff they created. About motivation for virii writers - it's different for each of them, have to ask them.

But I think there is a new motivation - money. Nowadays you can get paid for a couple of infected computers, so spammers can abuse them.

Astalavista : What do you think of Symantec ? Is too much purchasing power under one roof going to end up badly, or eventually the whole industry is going to benefit from their actions?

Eric : Sure monopolies are always bad but we get them everywhere nowadays. Maybe we need another revolution...

Astalavista : Is the practice of employing teen virii writers possessing what is thought to be a "know-how" a wise idea? Or it just promotes lack of law enforcement and creates ordes of source modifying or real malware coders?

Eric : I dont think it is a wise idea at all, but don't tell my boss ;-) Whether one has written virii or not should not influence your decision to you hire him/her.

Astalavista : Application security has gained much attention lately. Since you have significant programming experience, what do you think would be the trends in this field over the next couple of years, would software be indeed coded more securely?

Eric : Maybe,if universities started to teach coding in a secure way instead of teaching us more java bullcrap. But I think the open source development is indeed helpful there. If you want to
run something like a server, a quick glance at the code will tell you whether you really want to use this piece or search for another one.

Astalavista : Microsoft and its efforts to fight spyware has sparckled a huge debate over the Internet. Do you think it's somehow ironic that MS's IE is the number one reason for the existence of spyware. Would we see yet another industry build on MS's insecurities?

Eric : It's the only reasonable way for MS to react. Heh, they are just a company.

Astalavista : The Googlemania is still pretty hot. Are you somehow concerned about their one-page privacy policy, contradictive statements, and the lack of retention policies given the fact that they process the world's searches in the most advanced way and the U.S post 9/11 Internet wiretapping initiatives?

Eric : Yes I am, that's why their only product I use is the websearch function. As soon as I find another good website like google.

Astalavista: Thanks for your time Eric!
-----------------------------------------

Interview with Bjorn Andreasson, http://www.warindustries.com/

Astalavista : Hi Bjorn, would you please introducte yourself and share some more information about your background in the security world?

Bjorn : My name is Bjorn "phonic" Andreasson and I live in Sweden, I'm turning 22 this year. I've been a part of the so called "underground" since the age of 14 which gives a total of 8 years. I got my first computer at the age of 13 and I quickly got involved in Warez as my uncle showed me some basic stuff about the internet. After a while I realised Warez websites was "uncool" because of all the popups, porn ads, only trying to get as many clicks on your ads as possible to earn enough money to cover your phone bill. So, there I was viewing the Fringe of the web (www.webfringe.com) and I found all those wonderful h/p/v/c/a websites, which caught my eye. I knew I could do better than most of these guys as I had a lot of experience from the Warez scene -I knew how to attract visitors quickly. The first version of War Industries I belive was a total ripoff from Warforge.com as I didn't know better at the age of 15/16, I quickly understood this wasn't the way to do it so I made my first version of the War Industries and I might add it looked VERY ugly as I recall it:)

From there I have had several designers making new versions, trying to improve it and I belive we've acheived that goal now. It should be mentioned that during 2000 and 2003 War Industries was put on ice as I couldn't cover the expenses so it was only me and a friend keeping the name alive until 2003 when I relaunched the website and turned it into what it is today (Badass). I've also been a part of the Progenic.com crew as well. As Blackcode.com crew, it was practicly my work that made BC famous because I sent a shitload of hits to it back in '99 when WarIndustries received 4,000 unique hits on a daily basis. I also owned www.icqwar.com which held only ICQ war tools, some of my own creation, very basic but handy. The site had 3,000 unique hits on a daily basis after only one week online. After four weeks I got a letter from AOL to give me the domain name or being sued. What could I do? 16 years old, of course, I gave it away! Well that's pretty much my story.

Astalavista : WarIndustries.com has been around since 1998, nice to see that it's still alive.
What is the site's mission, is it hacking or security oriented? Shall we expect some quality stuff to be released in the future, too?

Bjorn : WarIndustries can't really be placed anywhere. It's either black, gray or white hat. I'd say we're a mix with a touch of them all. Our focus is to enlighten people in the means of programming, getting them to know google as their best friend. We've released a couple of video tutorials wich are very popular because they make things so easy. We're going to release a
couple of new ones soon, as soon as we get around to it as most of us got jobs and other stuff to attend to. Don't miss out on our brand new T-shirts coming up in a month! If you're something, you've got to have one of those!

Astalavista : What do you think has changed during all these years? Give a comparison between the scene back in 1998 as you knew it and today's global security industry, and is there a scene to talk about?

Bjorn : I'd say people are a way more enlightened today. Back in '98 you could pretty much do anything you liked without getting caught. Today you can't even download Warez without getting problems. I'd say there's a scene but very different from the oldschool I know. I am trying not to get involved and I have my own way. Maybe that's why WarIndustries is so popular.

Astalavista : Is Google evil, or let's put it this way, how can Google be evil? Why would Google want to be evil and what can we do about it if it starts getting too evil?

Bjorn : Google is not evil, Google is your best friend!

Astalavista : Give your comments on Microsoft's security ambitions given the fact that they've recently started competing in the anti-virus industry. They even introduced anti-spyware application - all this comming from MS?

Bjorn : If it wasn't for Microsoft, there wouldn't be viruses so I'm blaiming them for writing crap software. Why do they always leave a project unfinished and start another one? I mean Windows XP is working fine, why Longhorn? Why can't they make XP totally secure, like OpenBSD, there hasn't been a remote root exploit for many years as of what I've heard? That's security! If I didn't know better, I'd say MS is writing low-quality software so they can get
into the Anti-virus scene and make even more profits!

Astalavista : Recently, the EU has been actively debating software patents. Share your thoughts on this and the future of open-source software?

Bjorn : I can't make up my mind when it comes to Open/Closed source.There's benefits from both sides. Open source is fixed much quicker but also discovered way more often than closed. This is my opinion.

Astalavista : In conclusion, I would really appreciate if you share your comments about the Astalavista.com site and, particularly, about our security newsletter?

Bjorn : Actually, I haven't checked out Astalavista that much. I have known it for many years but I never got around. I promise I'll check it out!

Astalavista : Thanks for your time Bjorn!
--------------------------------------------

Interview with Bruce, http://www.dallascon.com/

Astalavista : Hi Bruce, would you please share with us some more information on your background in the security industry and what is DallasCon 2005 all about?

Bruce : Thanks for this opportunity. I have over 7 years of engineering experience working as a System's Engineer for companies such as Nortel Networks and Fujitsu. Realizing the importance of real information security training experince for everyday people, about 4 years ago a few colleagues and I decided to start truely academic Information Security Conference in Dallas and see what happens. We held the first DallasCon in 2002, just a few months after the tragic events of Septmber 11, 2001 in the U.S. The reponse was overwhelming with academic papers being presented from as far away as Russia and attending coming from countries such as Japan and China. Astalavista : There are so many active security cons and conferences out there that it is sometimes hard to decide which one is worth visiting. What, in your opinion, makes a con/conference qualified? Do you think that although there's nothing wrong with commercialization, some cons are becoming too commercial so they have lost sight of what their vision used to be in the very beginning of their history?

Bruce : Truly, I must admit the lure of money being thrown at many of similar conferneces such as ours is sometimes overwhelming. When a company such as Microsoft comes knocking on your door with a fist full of cash wanting to by into a Keynote speaker slot, it's hard to resist the temptation to give in. But we have tried to separate the academics from the commercial side. The training courses and the conference itself are designed to present the latest unbiased view of current trends in information security. We have a team of dedicated colleagues that read every paper carefully and look for flagrant promotions of certain technologies or companies. They also work very closely with the speakers who are chosen to present at DallasCon, to make
sure that they know what is expected from them. We do offer sponsorship opportunites to companies to help us carry the costs of such an event, but we try very hard to separate the business side from what people come to DallasCon for, which is the latest unbiased view of the trends and research in information security. I think many conferneces lose sight of what made
them big and forget their roots.

Astalavista : Like pretty much every organization, ChoicePoint or T-Mobile, keep a great deal of personal, often sensitive information about us, as citizens, students or employees. What actions do you think should be taken by the general public, the companies themselves and the government to ensure that the security within such databases or service providers is well beyond the acceptable level of security for most organizations?

Bruce : I think companies need to stop treating their customers like numbers and really put a face with the information that they are gathering. When someone gives you detailed information about themselves, they have put their trust in your company to protect them. When a breach is made, the cusomter feels betrayed and may never come back to you to do business. I laugh when I hear that huge muti-billion dollar companies are constantly having their cusotmer data stolen. I wonder how much they are really spending on security? How much are their cusotmers worth to them? These days it is hard to distinguish between legitiamte companies and fake ones online. It's funny, but people have trouble revealing their credit card information or social security number to a physical business down the street, but put the same business online and people throw that information at you without thinking twice. I think consumers need to stop taking security for granted and use some common sense. The first step of security is common sense...You can't put a price on that!

Astalavista : Two words - Symbian and malware - what are your assumptions for the future trends on the mobile malware front?

Bruce : I predict that it will be huge. The future of mobile OS is wide open and as the competition for market share grows, mobile companies want to offer anything they can in a smart-phone. I am always surprised as to what phones can do right now... in a few years, they might even serve us breakfast in bed! The downside is the huge vulnerability of the mobile-OS. First of all, more people own phones than computers around the world. It is the obvious next frontier for virus writers. Secondly, theoretically, it is much easier to infect an entire phone network than PC's. All you need is one infected phone syncking with a base station. Again, I go back to my previous answer, people need to use common sense... Do you really need to put your financial data or your sensitive e-mail on your phone?

Astalavista : What is your opinion about the mass introduction of biometrics on a world wide scale?

Bruce : Good - it will make security more individualized. We will all carry our security inside our DNA. Bad - it might increase the market for organ theft! (just kidding!)

Astalavista : In conclusion, I would appreciate if you share your comments about the Astalavista.com site, and particularly about this security publication?

Bruce : I have been visiting Astalavista.com for many years now, and I am very
impressed with the up to date cutting edge news, articles and really underground topics covered on your site. When we wanted to really reach out to the educated hacker community, Astalavista.com was the obvious choice. Thanks for putting us on your site and thanks for helping us promote our event.

Astalavista : You're welcome, wish you luck with the con!
-----------------------------

Interview with Nicolay Nedyalkov, http://www.iseca.org/

Astalavista : Hi Nicolay, would you, please, introduce yourself to our readers and share some info about your experience in the information security industry? Also what is ISECA all about?

Nicolay : My interest in information security dates back from 1996. At that time, respected Bulgarian experts from all over the country used to meet periodically at closed seminars where we exchanged our ideas and experience. At a later stage we developed the phreedom.org E-zine. I have also participated in numerous national and international mathematics and IT contests.

Currently I am a managing director for the R&D; department of one of Bulgaria’s most Prominent IT companies – Information Service. In 2002 I decided to initiate an InfoSec course at the University of Sofia. Once the course “Network Security? became part of the university’s curriculum, we immediately got the interest of over 500 students. During 2003, with the help of several experienced security colleagues of mine we developed another fresh and very useful course in “Secure programming?. Both of the courses fitted perfectly into the program curriculum and actually they attracted more students than we had expected. I am also teaching four other courses in Software technologies. As a whole, we contributed for the development of IT education in Bulgaria establishing the ISECA (Information Security Association), whose main purpose is to connect our members and inspire them to innovate, create, and enrich their personal knowledge, while being part of a unique community.

Astalavista : Correct me if I'm wrong but I believe not many Eastern European universities emphasize on the practicality of their computer and network security courses? What are your future plans for enriching the course selection further, and also integrating a more practical approach into your curriculum ?

Nicolay : During the last couple of years we have seen a definite slowdown in Europe regarding
information security courses and programmes. Until now we have already developed over eight courses, including the course Information Systems Security Audits, which is widely applicable. Furter, there is intensive work on the development of a new Network & Software Security Lab. We are also negotiating with ABA representatives for the introduction of a professional certification program – “Risk Management in the Financial and Banking Sector?

In fall 2005, University of Sofia will start a specialized master Information Security Program, coordinated by ISECA.

Astalavista : Who are the people behind ISECA, and what are the current local/global projects you're working on, or intend to develop in the upcoming future?

Nicolay : Our core members include certified security consultants and auditors, researchers, IS managers and class teaching professors. Among the key projects we’ve already developed or we are working on at the moment are:

- A National Laboratory for Network and Software Audits, being developed in close cooperation
with The University of Sofia. The lab will be used for audits and R&D; in the industry.
- An Information Security Portal – ISECA
- A National anti-spam system and its integration within international ones like SpamHouse
- Safeguarding the local business interests of information security and promoting its development on a government level
- Active participation in the development of the Bulgarian Law for E-trade and E-signature
- Subscription based “Vulnerability Notification? service
- Centralized log analysis and security monitoring

Astalavista : What is the current situation of the Bulgarian IT and Security market? What was it like 5 years ago, and is there an active security scene in the country?

Nicolay : We are currently witnessing a boom in the Bulgarian demand for information security services as a great number of businesses are realizing the importance of information security. On the other hand we are in a process of building strategical relationships with Bulgarian and multinational companies providing security related products and services. In the last couple of years official government bodies also have emphasized on sustaining secure communications. In response, our main goal in the upcoming future would be to build a collaborative working atmosphere with stable relationships between key partners and experts

Astalavista : Bulgaria and Eastern Europe have always been famous as a place where the
first computer viruses actually originated, to name the Dark Avenger as the most famous author. What do you think caused this - plain curiosity, outstanding programming skills, or you might have something else in mind?

Nicolay: It is a fact that Bulgaria is popular with its potential in the creation of viruses, trojans and malware at all. The thing is that there are a great number of highly skilled experts, who cannot apply their talent in the still growing local market; consequently they sometimes switch to the dark side. One of our main aims is namely to attract people with great potential and provide them with a professional and stable basis, on which they could develop themselves on the right track. The Bulgarian – Dark Avenger, well, he used to be an idol for the virus writers and the name still brings respect.

Astalavista : Is there an open-source scene in Bulgaria, how mature is it, and do you believe the country would be among the many other actively adopting open-source solutions in the future, for various government or nation's purposes?

Nicolay : Yes, there is a Free Software Society . Several municipalities have already
turned into E-municipalities with the help of open source software. There was a proposition for the introduction of a law for integrating open source software within the government’s administration, which was unfortunately rejected later on. Free Software Society is in close contact with various political movements, which reflects the overall support and understanding of open source from the society. The use of open source is also within the objectives of one of the main political parties in the country, a goal that resulted from the many initiatives undertaken by the Free Software Society. ISECA’s members are also active participants in the core direction of the FSS. We are currently developing a new opensource research team, part of Information Service – OSRT (Open-Source Research Team).

Astalavista : How skilled is the Bulgarian IT labor market and do you think there's a shortage of well - trained specialists in both IT and Information Security? How can this be tackled?

Nicolay : There are a great number of highly qualified software developers in Bulgaria, who created the Bulgarian Association for Software Developers. We have had numerous seminars and lectures between ISECA and the Association. One of our main objectives is namely to locate
and unite the highly qualified IT and Security experts within Bulgaria. Both organizations are constantly seeking to establish stable relations with international organizations with the idea to exchange experience and promote mutually beneficial partnerships.

Astalavista : India is among the well-known outsourcing countries for various IT
skills, while on the other hand the Bulgarian programmers are well- respected all over the world, winning international math and programming contests. Do you think an intangible asset like this should be taken more seriously by the Bulgarian Government, and what do you think would be the future trends?

Nicolay : Every year there is a leakage of highly qualitfied young professionals with great potential for growth, looking for further career development . The core reason for this “brainwave?, so painful for the Bulgharian econmy and society, is the lack of a relevant government policy, ensuring stable and beneficial career opportunities for the young generation. I honestly hope that further government policies, not only those related to the IT industry, would be successful in providing what a nation needs – a bright future for its brightest minds.

Astalavista : In conclusion, I wanted to ask you what is your opinion of the Astalavista.com's web site and, in particular, our security newsletter?

Nicolay : I have been visiting Astalavista.com since its early days and it is great to see that recently the portal has successfully established among the few serious and comprehensive sites. Furthermore, you can always find whatever you are looking for - software, as well as recommendations and shared experience in information security. I believe Bulgaria needs the same high quality portal, one of our main ideas behind ISECA.

Astalavista : Thanks for your time!
-------------------------------------

Interview with Roman Polesek, http://www.hakin9.org/

Astalavista : Hi Roman, would you please introduce yourself, share some info about your background in the security industry, and tell us what is Hakin9 all about?

Roman : My name is Roman Polesek, I am an editor-in-chief of the 'hakin9 - practical protection' magazine since Summer of 2004. I'm 27 years old if it does matter. This might be a bit surprising for folks who know our magazine well, but I'm more a journalist/editor (and that is my education) than a CS/security master. Of course, I worked as a sysadmin for some time,
use mainly Unices and code in several languages, but in the IT industry world I'm rather a self made man. I suppose I have no right to call myself "a hacker" in the proper meaning of the word. In short, 'hakin9' -- subtitled as "Hard Core IT Security Magazine" – aims to be a perfect source of strictly technical, IT security related quality information. We noticed that both the market and the community lack comprehensive, in-depth works on this topic. Decision was pretty simple: "Let's do it and let's do it good – we cannot fail". At the moment, with total circulation of nearly 50 thousand copies, we have 7 language versions. The magazine is available worldwide, by subscription or in distribution. However, it's important to remember that we are not encouraging anyone to commit any criminal acts. Beside disclaimers published in every issue of the mag, we emphasize on the legal matters wherever possible. We do not want to make a magazine for the so-called script-kiddies and assume that our readers are professionals and require some portion of knowledge to fully utilize magazine's content. On the other hand, as we all know, "The information wants to be free". 

There's no reason to avoid any particular subjects. Every article that precisely describes an attack technique includes a section that is to help defending from the threat we present. 'hakin9' is not only a magazine. The free cover CD is attached to every hardcopy. The disc includes a live Linux distribution called 'hakin9.live' along with plenty of useful documentation [RFCs, FYIs, HOWTOs] and a really huge amount of computer/network security applications. We also prepare our own tutorials that allow readers to exercise the techniques described in articles [only in their very own networks!]. Since the next issue of 'hakin9', the CD will also contain full versions of commercial applications for Windows. Athough we rarely use Microsoft Windows, we consider it useful and some of the readers requested such software. One of the articles from each issue is available for free, just to make sure anyone that buys 'hakin9' won't regret the purchase. See our website if you're interested in trying 'hakin9' articles.

Astalavista : What do you think are the critical success factors for a security oriented hard cover magazine?

Roman : I am convinced that the crucial matter is honesty. Our target readers are highly educated, extremely intelligent people and would easily recognize any marketing lies. We just do not say things that aren't true. Everyone can see what we publish and how we do it. The other important thing is diversity. It's obvious that creating a magazine that fits everybody is impossible. There will always be a guy that is not satisfied with, say, the cover story or the layout or anything else. This is nothing unusual, but should be expressed loud and
clear. That's why we cover different topics -- from e.g. attacks on Bluetooth stack, through data recovery in Linux or anti-cracking techniques for Windows programmers to methods of compromising EM emissions. Last but not least, the mother of all successes is making
people aware of magazines’ existence. Nobody would buy 'hakin9' unless they know we are available. But the main thing is that magazines like ours will never be mass publications, they have their niche that needs to be cultivated. The general rule -- for all press publishers, not only us -- is "Respect your readers and they will respect you". Selling many copies of one issue, using lies and misleading information, is not difficult. What's difficult is to make sure that users will consider you a professional who just makes a good magazine, not a travelling agent.

Astalavista : What is the current situation on Poland's IT and Security scene, and do you think it's developing in the right direction from your point of view, beside Poland's obvious anti-software patents policy?

Roman : Yes, "Thank you Poland" and all. It's always nice to know that someone in the world has positive connotations with your country. But I cannot give you any general overview of the Polish scene. It's just too diverse and I work with IT specialists from all over the world, so I do not concentrate on Poland particularly. After all, most of the important things happen in the USA. Really, the main problem in Poland is software piracy. I'm not talking about P2P networks specifically, I'm talking about the consciousness of Polish people. They are just not aware of the
fact that using cracked apps is a crime, a pure theft. I suppose this problem is present in all countries. And poverty does not justify such a procedure at all, we have plenty of free substitutes for even the most popular software. The Polish scene (I mean community by that, of course) is not very different from any other country. We do have a very strong group of open source ideologists (some might call them the followers of Richard Stallman :)), we do have some anti-patent people (I'd recommend http://7thguard.net for those who understand Polish). But we do not have any spectacular successes with any real inventions or discoveries (mind
that for now I'm talking about the community, not the corporations). I'd only mention two phenomena your readers might have heard of. One is the LSD, [Last Stage of Delirium] an independent research group known for pointing out bugs in Microsoft RPC some years ago. The other well known is Michal "lcamtuf" Zalewski, an author of a powerful passive network scanner called "p0f" and a set of very useful debugging/binary analysis called "fenris". The reason for this unimpressive situation is the fact that Poland was cut off from the capitalist world for nearly 50 years [and ENIAC was introduced in 1947], so we were isolated from real computing during that time. We just have to make these 50 years in the next few years. On the other hand, IT specialists from Poland -- say, programmers -- are considered very ingenious and good workers. For offshore corporations they are really attractive.

Astalavista : During 2004/2005 we've seen record breaking *reported* vulnerabilities. What do you think is the primary reason, increasing Internet population, programmers’ deepening their security knowledge, companies in a hurry to integrate more features with a trade-off in security or perhaps something else?

Roman : All of them. The increasing number of Internet users does not directly influence the number of vulns found, though. The new Internauts are mainly people who have never used computers and networks before. Of course the other thing is that Internet "aggregates" huge amounts of data, which was publicly unavailable before. There are more and more programmers and IT security specialists. Their population is constantly growing, be it because of the money they can earn or just the popularity of Computer Sciences. To be honest, most of them are at most average at their job, but for example people from India an China have great potential.
But you are right. Marketing and pressure for higher sales make companies work in a great hurry, they just don't care about average Joe Sixpack. And Joe Sixpack would hardly ever notice any security vulnerabilities, not mentioning they would probably never report such flaws. Finding bugs in software has also become some kind of a fashion these days. It's an intellectual challenge, similar to solving riddles. No wonder that along with the increasing number of people able to understand, say, the C code, the number of vulns reported increases. There is one more thing I'd like to mention. I suppose that the scale of reported vulns would appear far greater if proprietary software creators informed about all flaws found in their products. It's not in
their interest of course.

Astalavista : Thought or at least positioned to be secure, MAC's and Firefox browsers have started putting a lot of efforts to patch the numerous vulnerabilities that keep on getting reported. Is it the design of the software itself or the successful mass patching and early response procedures that matters most in these cases?

Roman : I have great respect for Apple products, though the only Mac I use is a very old Performa :), just for experiments with BSD distributions. I consider Macs secure in general. I also use Mozilla Firefox daily. I'd bet on the latter case, but like I said I'm no programming guru. The developers try to act fast and release patches as soon as possible, so at least average users can feel secure. The fact that there are plenty of developers makes it only better. Bugs in the code are not a nemesis themselves, you cannot avoid bugs in more complex applications. The only solution that makes sense for me is to conduct constant audits and release patches frequently. Look at the Microsoft Internet Explorer [I am aware this example is a
bit trivial]. I have a feeling that this company's ways of dealing with flaws is just childish, reminds me of covering your own eyes and hoping it will make yourself invisible to other kids on the playground. I'm not criticizing Microsoft at all -- it's just that the company with so many great specialists has problems with securing their code, and their software is the most popular solution in the world, no doubt. Apple is competing with Windows in general and Firefox tries to bite a part of the browser market. Looking at their financial and market share results makes me sure that the way the patches are done by these enterprises are the only right solution. Repeating that your product is secure and just better does not make it secure and better.

Astalavista : In may, a DNS glitch at Google forwarded its traffic to www.google.com.net (GoSearchGo.com) for 15 minutes. What are your comments about this event when it comes to security and mass DNS hijacking attempts on a large scale? Do you also picture a P3P enabled Google used on a large scale in the near future and do you fear that Google might be the next
data aggregator (they are to a certain extent) breached into?

Roman : The real point is -- DJB mentioned that in an interview for the next issue of 'hakin9' -- that some of the protocols we use, especially SMTP and DNS, are outdated. To be precise, they were outdated at the moment they were being created. It's nobody's fault. We have a saying in Poland that "Nobody is a prophet in his own country". Even Bill Gates didn't notice the potential of the Internet. I would say Google has really nothing to do with any DNS forgery. The protocol is flawful. What's worse, we can live without the problematic SMTP. Without DNS, which is a core of the Internet. For example, I just cannot imagine my mother using IP addresses to surf the WWW. I'm not afraid of threats to Google security. They have technology, they have money, they have ideas. I might say that it's Google, which will start and force security improvements in domain resolving mechanism. Daniel J. Bernstein claims that the first thing we should do is to implement some method of authentication in DNS protocol. Be it PKI, be it anything else -- we have to do it so that we would have some time to introduce a really secure DNS replacement. As for the hijacking itself, I consider it one of the most primitive kinds of abusing IT infrastructure. It's just like taking over somebody's house. It's as bad as deleting someone's data for sports or DDoS attacks used for fun and/or profit.

Astalavista : Anonymous P2P networks have been getting a lot of popularity recently namely because of RIAA's lawsuits on a mass scale. How thin do you think is the line between using P2P networks to circumvent censorship in Orwellian parts of the world, and the distribution of copyrighted materials?

Roman : 'hakin9' team likes P2P networks, the more anonymous, the better. We use them for distributing our free articles and our CD. It makes me laugh when **AAs send e-mails with legal threats based on the American legal system to Polish or Swedish citizens. Sometimes they're like an old blind man in the fog. Instead of adopting P2P for selling their video or music, they make the community angry. Digressions aside. I don't feel that P2P networks will help anyone make their transfers safe [security through obscurity, right?] and that they will help to fight censorship in countries like North Korea or even China. On the other side, I can imagine modifying XMPP [Jabber] protocol to transfer SSL-secured data -- it may be already done, I had no time to investigate it further. Unauthorized distribution of copyrighted content, however, will always be a problem. There's no way to prevent such behaviour. Recent events show us that writing a P2P client is a piece of cake, even a clever 9 years old boy can do this. I would rather make it easier for people to buy electronic copyrighted materials without the need to download it illegally. Regarding that according to some statistics even 30 per cent of total internet transfers are generated by P2P networks, I'm rather afraid that some stupid people downloading pr0n or Britney Spears MP3s could easily kill the Net some day. To sum up, each technology has its profits and costs. Obvious :). The profit of P2P is the ease of distributing any content. The cost is the people using it in an illegal manner. I can see no reason for prohibiting these network just because some people prefer bad quality motion pictures to going to the movies. Should we prohibit usage of knives only because of the fact that someone tabbed the kitchen knife in someone s stomach?

Astalavista : In conclusion, I wanted to ask you what is your opinion of the Astalavista.com's web site, in particular, our security newsletter?

Roman : I'm very impressed with the amount of data available for Astalavista's visitors. I'm not a member though, so I cannot really make a detailed review. To be honest, I had some problems with recognizing which of your websites are free and which ones are not. But I have managed to do it and use it almost daily :). As for the newsletter, it's one of the most informative and professional ones I have ever seen. Since having read Issue 16, I couldn't stop myself from reading the archives. I am a subscriber and strongly advise everybody to do the same. As a person professionally dealing with IT security, I mean it – this is not an advertisement for Astalavista. This is the truth.

Astalavista : Thanks for your time Roman!
---------------------------------------------

Interview with John Young, http://www.cryptome.org/

Astalavista : Hi John, would you, please, introduce yourself to our readers, share some info on your background, and tell us something more about what are Cryptome.org and the Eyeball-Series.org all about?

John : Cryptome was set up in June 1996, an outgrowth of the Cypherpunks mail list. Its original purpose was to publish hard to get documents on encryption and then gradually expanded to include documents on inforamtion security, intelligence, national security, privacy and freedom of expression. Its stated purpose now is: "Cryptome welcomes documents for publication that are prohibited by governments worldwide, in particular material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and secret governance -- open, secret and classified documents -- but not limited to those. Documents are removed from this site only by order served directly by a US court having jurisdiction. No court order has ever been served; any order served will be published here -- or elsewhere if gagged by order. Bluffs will be published if comical but otherwise ignored." The Eyeball Series was initiated in 2002 in response to the US government's removal of public documents and increased classification. Its intent is to show what can be obtained despite this clampdown.

Astalavista : What is your opinion about cyberterrorism in terms of platform for education, recrewting, propaganda and eventual real economic or life loses?

John : Cyberterrorism is a threat manufactured by government and business in a futile attempt to continue control of information and deny it to the public. Cyber media threatens authorities and authoritarians so it is demonized as if an enemy of the state, and, not least,
corporate profits.

Astalavista : A couple of words - privacy, data aggregation, data mining, terrorism fears and our constantly digitized lifes?

John : Privacy should be a right of citizens worldwide, in particular the right to keep government and business from gaining access to private information and personal data. The argument that government needs to violate privacy in order to assure security is a lie. The business of gathering private information by corporations and then selling that to government and other businesses is a great threat to civil liberties. Much of this technology was developed for intelligence and military uses but has since been expanded to include civil society.

Astalavista : Shouldn't the U.S be actively working on hydrogen power or alternative power sources instead of increasing its presence in the Middle East or to put the question in another way, what is the U.S doing in Iraq in your opinion? What do you think is the overall attitude of the average American towards these ambitions?

John : No question there should be energy sources as alternatives to the hegemonic fossil fuels. Dependence on fossil fuels is a rigged addiction of that worldwide cartel. Car ads are the most evil form of advertising, right up there with crippling disease of national security.

Astalavista : Is ECHELON still functioning in your opinion and what do you believe is the current state of global communications interception? Who's who and what are the actual capabilities?

John : Echelon continues to operate, and has gotten a giant boost since 9/11. The original 5 national beneficiaries -- US, UK, CA, AU and NZ -- have been supplemented by partial participation of other nations through global treaties to share information allegedly about terrorism. Terrorism is a bloated threat, manufactured to justify huge funding increases in
defense, law enforcement and intelligence budgest around the globe. Businesses which supply these agencies have thrived enormously, and some that were withering with the end of the Cold War have resurged in unprecedented profits, exceeding those of the Cold War.

Astalavista : Network-centric warfare and electronic warfare are already an active doctrine for the U.S government. How do you picture the upcoming future, both at land and space and might the Wargames scenario become reality some day?

John : Network wargames are as pointless and wasteful as Cold War wargames were. They churn activity and consume expensive resources. None are reality-based, that is, outside the reality of imaginary warfare.

Astalavista : Do you believe there's currently too much classified or declassified information, namely documents, maps, satellite imagery etc. available on the Net these days? In the post 9/11 world, this digital transparency is obviously very handy for both terrorists and governments, but who do you think is benefiting from it?

John : Far from being too much information available to the public, there is a diminishing amount, especially about exploitation of those who have access to classified and "privileged" information -- government and business -- and those who lack access. The concocted warning that open information aids terrorism is a canard of great legacy, one that is customarily spread during times of crisis, the very times when secret government expands and becomes less accountable. "National security" is the brand name of this cheat.

Astalavista : In conclusion, I wanted to ask you what is your opinion of the Astalavista.com's web site, in particular, our security newsletter?

John : Great site, very informative, give yourself a prize and a vacation at G8 with the world class bandits.

Astalavista : Thanks for your time John!

John : Thanks to you!
-----------------------