• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Interview with a security professional - Marc Maiffret

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles

View previous topic :: View next topic  
Author Message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Thu May 26, 2005 10:44 pm    Post subject: Interview with a security professional - Marc Maiffret Reply with quote

Continuing with our series of “Interview with a security professional” I am very happy to say that Marc Maiffret CHO of EEye has generously contributed his time to answer some questions for us.

Question

Seen as you are one of the very talented developers in the computer security world today do you often find yourself collaborating with others of your skill level? Specifically those who may not also be presently working with you.


Marc’s Answer

I don’t usually have a lot of time to collaborate with other people. Also I do not usually find a need for it because most of the ideas that I would think about can be collaborated on within the eEye research team. We are obviously friends with a lot of other people in the security “scene” though and keep in touch.

Question

A short while ago there was someone who alleged there were backdoors in some of your products. While I don’t believe many people gave it any credence do you often have to deal with such claims?


Marc’s Answer

These types of claims are made from time to time and while it is annoying it is also a sign of things getting bigger. As with almost anything the further you climb the more people want to see you fall or as Biggy said, “More money, more problems.”

Question

What skills do you believe a successful, not necessarily elite, security professional must possess today?


Marc’s Answer

Drive. I think with almost any career or hobby you just have to want it bad enough. When it comes to security its so broad it really depends on what you want to do: Consultant? Exploit Developer? Vulnerability Researcher? Product Programmer? It all very much depends but everyone whom I’ve met that is rather skilled in what they do have the common theme of being very driven and never taking no or “theoretical” as an answer.

Question

Would there be a specific programming language that you would counsel those new to programming to learn first?


Marc’s Answer

It really depends on what your looking to accomplish. If your looking to write security type tools that deal with low level internals or network related functionality than C/C++ is always a good place to start. However there are plenty examples of people doing cool stuff in Python or Perl. There is also obviously something to be said about all the .NET stuff. Learning C# is not a bad idea either because you can still do what you want (for the most part) but then you also have maybe a more marketable skill (outside of security) beyond what C/C++ can give you these days. At the end of the day though my favorite language is C.

Question

With Microsoft finally getting serious about security, and its coding practices, where do you see the exploit developers training their guns next?


Marc’s Answer

I think even with Microsoft’s efforts your still going to be seeing new vulnerabilities found and exploited. However I think soon we will begin to see people caring more about writing exploits and worms for non-Microsoft software. There is a LOT of software that is just as popular in use as Microsoft and exploits and worms for that software will be just as critical as what we have seen with Microsoft. For example companies like Adobe, Symantec, and Computer Associates, just to name a few. Products by these companies are in wide use and a worm written for one of these products could be just as devastating as any given Microsoft worm, or worse in some cases.

Question

Talented developers like Dave Aitel and HD Moore have contributed excellent programs to the community for free. Do you see this donation of free tools as a responsibility for programmers of your caliber?


Marc’s Answer

I don’t think it’s a responsibility really. People are excellent at what they do are typically where they are because they busted their ass to get there so I don’t think they owe anyone anything really. However, it obviously is a rather cool thing to release good free tools and give back to the community that really did have to in some ways help you get to where you are. A lot of times it really is more a matter of being able to have the time to write a *good* free tool. I know for us its more a matter of time than whether it’s a good idea or not.

Question

Recent changes to the 64 bit architecture such as the NX bit, and extended memory will probably affect exploit development. How do you see exploit development evolving in light of non-executable stacks?


Marc’s Answer

Non-executable stacks? Didn’t that happen in the 80’s? Smile I just look at things like 64 bit architectures and NX as technologies that will hopefully make things more fun for everyone. I am sure plenty of people who have written exploits for x86 have gotten bored with it over the years. I think a lot of people are looking forward to new security challenges both in how to protect these new systems and how to break them. I know were looking forward to it…

Question

Do you feel there is a need to regulate computer security vendors? I ask this simply because I have personally heard some rather outlandish claims that have been made, with little to no evidence to back them up.


Marc’s Answer

I don’t think we really need to be regulating computer security vendors however if things keep progressing like they are then at some point the government *is* going to step in and say “Ok kids, you can’t all get along, here are the rules.” And we will be in much worse shape than previous. If there is any place that we need more laws it is for software vendors whom practice gross negligence of security within their products. One of the greatest examples of this is Microsoft performing all of their security auditing on Windows XP Service Pack 2 yet a lot of those same vulnerabilities exist on Windows 2000 which is a supported platform. Microsoft obviously knows about these vulnerabilities because they have fixed them on XP SP2 however they are knowingly leaving customers vulnerable with Windows 2000. I hate analogies but its like someone selling you an old model car tire that loves to explode and their answer to the problem is buying a new model car tire… even though the old one is suppose to be under warranty. I do not really understand how this is legal.

Question

Do you feel that there are specific character traits, which lend themselves to someone being a talented developer, vice simply a competent one?


Marc’s Answer

I am not overly up on the physiology of a developer so I can merely guess. However, one thing I have found common, since I run a software development company, is that a lot of talented developers (and security researchers) are also quite inclined to play musical instruments or related. Not to say that it means you have to be a musician to be a good programmer, I’ve just seen that in my own personal experience. A lot of times people who are programmers are also people who think very analytically which also makes it quite an interesting personality to try to manage. Everything is thought of logically and sometimes rather black and white. This is why there are so many brilliant techies who never accomplish anything, because their mind has logic set to 1 and imagination set to 0.

Question

Lastly, your company has some excellent products to help facilitate the system administrator’s life. That being said do you believe it is incumbent of the admin to make more of an effort to learn how to secure things better?


Marc’s Answer

It is not really just up to system administrators to learn to make things more secure. That really means nothing if the business they are supporting does not also take security as a priority. A lot of people still just look at security as something that costs money without giving any return. People need to understand that security is like paying your electricity bill; however that time is far from now. I think it benefits administrators to teach themselves as much about security as they can because security is something that is in strong demand and it is basically something that can help them career wise.

On behalf of the membership and myself I would like to extend a big thank you to Marc for his time. The answers provided by Marc were of great interest.


This interview is copyright 2005 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register