• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Interview with a security professional - Dave Aitel

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles

View previous topic :: View next topic  
Author Message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Fri May 13, 2005 12:29 am    Post subject: Interview with a security professional - Dave Aitel Reply with quote

We have been giving some thought recently here on the forums to asking some of the leading lights in the computer security industry today some questions. Our first “Interview with a security professional” is with Dave Aitel of Immunity the creator of CANVAS. To that end we have put together some questions to get Dave’s take on them.

Question

You have successfully created a product called CANVAS, which will help the system administrator and security professional help secure a network. That being said do you believe the general state of security knowledge held by sys admins generally, as a whole needs to come up rather then always rely on third party tools?


Dave’s Answer

I, personally, believe that if people would ask software vendors to ship secure software, they would. System administrators typically find that security is a small part of their job – as it should be. Their job is really getting stuff to work. I don't have a problem with that. If you install grsecurity you stop having to worry about security so much, and you can just concentrate on getting things to work again, which is nice.

Question

What are your thoughts on Microsoft once again breaking raw socket functionality with SP2 for XP? Though it may help in the fight against malicious hackers it also complicates the life of others, with a legitimate need for raw socket access. Where are your thoughts on this?

Dave’s Answer

Immunity's product, CANVAS, like many others, relies on having raw sockets for some of its advanced functionality. I think eventually someone will make a kernel module that re-enables this functionality. It's not that hard. Of course, nothing prevents the next worm from using this kernel module either. Largely I think not having raw sockets was a waste of time.

Question

I have heard some outlandish claims from some security vendors about their products. Problem is though is that there is very little factual evidence to back up their claims. Do you believe it is perhaps time to regulate the security appliance industry via a regulatory body?

Dave’s Answer

I'd sooner have rabies than regulation. All vendors throughout time have made outlandish claims. Typically what consumers do is ask their friends if any of these claims are remotely true, and based on that judgment, decide whether to purchase a product. I think the IDS industry is perhaps one which could use more honest reporting of capabilities. IDS vendors are all quite touchy about the subject of how well they all operate – and for many reasons, it's impossible to find independent third party tests. Running CANVAS with covertness set to 11 allows our customers to say “My IDS doesn't really work” which is always a shocker.

Question

Were you to start from scratch again and forced to choose between learning TCP/IP or programming, which route would you take? I ask this question because some programmers that I know, surprisingly did not have a great deal of knowledge about the protocol suite at a granular level.

Dave’s Answer

I think programming is a key skill to have in any industry. Learning any particular protocol stack is fairly easy to do. That said, if you don't know TCP/IP, you're bound to repeat it.

Question

Do you see security professionals such as yourself who actively do exploit development at odds with your security professional status?

Dave’s Answer

A security professional not knowing how to write exploits is akin to a chef not knowing how to actually cook. If you can't write exploits, you can't know what's actually possible with vulnerabilities, and you're just blowing hot air.

Question

With Microsoft seemingly taking security seriously nowadays and the lack of IIS 6 exploits found (point in case), where do you think malicious hackers will refocus their efforts on?

Dave’s Answer

I was part of the team that audited IIS 6 for vulnerabilities, and hopefully I did a pretty good job at the time. IIS, however, is a tiny part of a rather massive software stack. People deploy all sorts of third party applications on IIS, and these are mostly vulnerable to your standard memory corruption techniques. So don't despair just because .htr got unmapped and .asp finally got a code review.

Question

What would you advise the budding computer security enthusiast on our forum to study material wise?

Dave’s Asnwer

Learning assembly is the key to really understanding vulnerabilities. Immunity offers a few good classes in writing exploits, but for people with smaller budgets, there are a number of books on the subject out now. I think The Shellcoder's Handbook, which I helped write, is a bit on the advanced side for many beginners, who may feel more comfortable with some of the other books that have recently come out on the subject.
And, of course, there's always the old favorites of Dildog's “Tao of Windows Buffer Overflows” and Aleph1's “Smashing the Stack”. The key is practice. If you spend an hour a day working out, you'll get big muscles and manage to get chicks. If you spend that hour a day learning how to write exploits, you'll get rich, and still get chicks. It's a win/win either way, as long as you don't sit in front of your couch and smoke pot all day, and even then, you'll get the druggie chicks, who are a lot of fun to hang with, right up until they all marry muscle-bound middle management and rich hackers.

Question

Do you see cryptography playing a larger role in computer security as time marches on?

Dave’s Answer

I don't see your average attacks being dependent on cracking a cryptographic primitive, if that's what you're worried about. Cryptographic primitives may not be perfect (md5, for example), but they're stronger than the software that uses them. I always laugh every time I see another heap overflow come out in someone's kerberos implementation.

Question

Warez is a huge problem for s/w vendors. Do you believe that they are their own worst enemy though due to the exorbitant prices they charge for their products?

Dave’s Answer

I don't know that Warez is a huge problem for commercial software vendors. Largely, people purchasing software don't use warez. Most pirated software is used within companies – a company sells you one license, you install it on one hundred machines. The only time pirated software has ever been a problem for Immunity, as a software vendor, is when we sold a copy of CANVAS to someone from China using a stolen credit card. So now we just don't sell to anyone we can't actually identify.

The bigger problem for software vendors is software patents. Software patents have no upside. They destroy the economics of software production for small companies, which costs more jobs than off-shoring could ever take. People don't realize how much of our economy runs on small companies. Right now, starting up a small software company in America is far riskier (a.k.a a worse investment) than it should be. Software patents are a problem Warez never could be.

Question

In my opinion one of the biggest threats out there today is the uninformed home user. Hence the bot net problems, and launch points for other black hat attacks. Do you think that computer users should have to do a “computer competency” exam, much like new car drivers do. This is unrealistic I agree, but a valid question I think.

Dave’s Answer

Perhaps we should also sign a two-year service plan, much as most cell phone users do? Except in the overblown minds of prosecuting attorneys, the damage any DDoS attack does is far overshadowed by a single car crash. Cars kill people; DDoSes don't. A persistent DDoS can put a company out of business, but there are technological ways to prevent this sort of thing, and they're in place now at all the major ISPs. I'm not sure why everyone is so scared of Botnets. I imagine the only reason they get so much attention is that they're quite an easy problem to solve, and people love to show how smart they are by solving easy problems.



I would like to personally thank Dave Aitel for taking the time to answer the above questions for us. It is always great to get answers from the true talents in the security field today. Please stay tuned over the following weeks for further “Interviews with a security professional”.


This review is copyright 2005 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register