How did you first get interested in computers?
My first access to computers came about because I was the assistant editor on a small national magazine, which, alas, is no longer with us. That was where I learned to do simple programs in Basic. It really let me in on the secret of how much fun working with computers could be. My father is a Computer-Science professor and a rather brilliant mathematician. He did not push me into the industry, and supported my decision to study watchmaking, locksmithing and archaeology, where using computers made some things far easier.
What was the path that led you into security in particular?
My interest in computer network security was born in my research of human mental constructs related to security. It may be a surprise to know that a merely competent locksmith (or burglar) can open the average apartment deadbolt in about 20 seconds, almost as quickly as you can open it with the appropriate key. Knowing this, it seemed as if we are secure in our homes because the vast majority of people anywhere are essentially honest and neutral toward others. I took this model into computer security where I have been testing the model for approximately 14 years. It interested me to consider how the philosophies of the creators of operating systems had such impact on platform-level security, and the early training most of us had as toddlers are the most-likely vulnerabilities to be exploited by today’s cyber-criminals as they do with grifters and con-men on a more physical level. For an instance of the former, the Microsoft Windows Operating System was designed to be used on non-networked, stand-alone computing devices and the platform-level openness of such a philosophy leaves Windows as one of the most-exploitable operating systems since operating systems began. For an example of the early-training issue, it is gifts and sharing that are the most-likely vectors of attacks by Trojans and viruses, and a feeling that people who are smiling are friendly. As a whole, we are trusting in the social world of Facebook and even after 20 years, we have not learned the lesson of distrusting all email links and attachments, even when it appears to be from well-known friends or classmates.
You have a CompTIA A+ certification–how has it helped you?
My CompTIA A+ was what got me my first job as a teacher at a community college in Spartanburg SC. There were competitors with better academic qualifications but my hands-on knowledge, as evidenced by the A+ certification won me the position.
How did you get so interested and involved in opensource projects? What’s your favorite open source project you’ve contributed to?
I got interested in Open Source because as a graduate student I could not buy access to closed-source projects to hack around on, and I could not get a job developing at a closed-source shop without the degree I was working to get. Open-Source projects welcome people with a willingness to learn and almost any level of project-related experience. I didn’t understand my fellow students who did not take this free-gratis chance to add relevant experience to their resume. My favourite Open-Source projects are the ones I am involved with right now. The glory of an open-source project is that if you get bored, or find something more interesting, you can move on, and you don’t have to explain your actions. Every one of my own infrastructure coding projects is open-sourced (so far) and these get to the point where they do what I want, and then I stop development. Some of these projects are available on http://Github.com/wolf29 and some are available on http://sourcefreedom.com. I have been involved with the OpenOffice Project for 7 years, since I decided that an office suite that did 100% of what I needed to do with it, and was free was a better choice for me than an office suite that did that amount or any amount more than I needed and had a cost involved. I started by using the products and as I have a teacher gene, I started helping people on the OpenOffice forums with issues that I knew how to solve. This eventually led to me getting more involved in the meta-structure of support and forums surrounding OpenOffice and to learning a little about the code itself. Since Oracle gave the OpenOffice code to the Apache Software Foundation, I have been enjoying learning the “Apache Way.” I am currently on the project board and the security team for Apache OpenOffice. My other active project participation are with the ones I am maintaining and administering at work. Currently these are http://evergreen-ils.org and http://dspace/org among a few others.
You’ve started security businesses in the past–what have you learned from those?
Find a niche you really love. I chose to focus on “Open-Source Security” and have had success in a number of ways, not the least of them being that I really love the honesty and creative opportunities allowed by the open-source model. Expect to spend at least half the time you apply to work toward marketing yourself and your expertise. Do not consult for free, or for cheap. Your professional opinion will not be respected and your recommendations will not be followed. This is not to say that you should not actively participate in the community and provide assistance for web-forum questions or for your local users’ group. This is both personally rewarding and builds your credibility in the community. If you are a natural bean-counter, consider it an advertising expense, or entertainment. If it is not fun, see item ‘A’ in this sublist.
For the security professional who would like to take a similar path, what advice would you give?
Pay your dues early. Get a couple of little jobs working in computer networking. Nobody will trust you to oversee their security if you have no experience with running a network. Expect to spend a couple of years “earning your stripes.” Make yourself available to opportunity. I co-authored a textbook on penetration testing and computer security because I was working as an adjunct instructor and I was the only Linux enthusiast and hacker on staff. Study forward: Just because you aren’t working with Whizbang Firewalls right now, or PostgreSQL, or nmap or OpenVAS doesn’t mean you wouldn’t be interested in them or that you won’t get a chance to say at an interview, “Oh nmap? I use it on my 3-node network at home. I have learned that it is a bad idea to accidentally ask nmap to search my network with a /2 CIDR instead of a /24.” (An nmap search with a CIDR of /2 could search half of the Internet, while a CIDR of /24 can search only 255 nodes.) A technical manager is more interested in your intellectual curiosity and your ability to deal with novel situations than your specific memorizations. Be curious and act on your interests.
Where do you see the future of security?
The future of security from the service-provider side is security in the clouds, with ubiquitous connectivity and more smartphones and tablets than desktop and laptop computers on the client side.
What are the challenges in security right now that are being overlooked?
The way many security-product vendors make money in consumer or client-side security right now is standing in the way of solving the security issues that are most prevalent in the client-side. Proprietary operating system vendors have no reason to solve problems and plug security holes when they can sell development licenses and accept royalties from companies that are in the business of fixing the security problems that result from the vulnerabilities, and end-users are not aware of alternatives without such built-in problems.
