Security DevCenter
oreilly.comSafari Books Online.Conferences.


Michal Zalewski on the Wire
Pages: 1, 2, 3

HTTP does not use crypto, while HTTPS does. Do you think that in the future we'll use crypto for every single connection?

Well, because of the shortcomings of TCP (and the increasing ease of blindly tampering with the data as bandwidth increases and new attacks are discussed), almost all communications, even nominally of little relevance, should be either encrypted or cryptographically tamper-proofed by now.

Unfortunately, this is a complex and costly process, and implementing advanced cryptography may introduce new flaws elsewhere. Furthermore, unless carefully engineered, it may remain susceptible to disruptions on underlying layers, replay attacks, etc. Last but not least, end users simply don't understand encryption and PKI, and hence can be easily tricked to ignore or bypass our sophisticated protections.

In other words, "perfect world" solutions may be not really that desirable or easy to implement, and we might have to stick with simpler short-term options and strategies for now.

Your book is full of interesting and original ideas to study a network or a single host; however, how can we focus on those advanced topics if most of the break-ins on the internet come from worms, spyware, and other dumb things or users?

There are plenty of books on these topics, some of them very, very good; there is no point in writing another summary of threats just because worms or spyware are a prominent problem.

What I wanted to achieve is to show how to think creatively and see problems that go beyond textbook examples; I try to show that these flaws don't come out of nowhere, and are inherent to every single tiny design decision ever made. If there is a software engineer, a system administrator, or a security professional who, after reading SotW, puts a bit more thought and insight in their work, that's good news--we may be preventing new classes of exploits and attacks of tomorrow.

There are a lot of books and courses that teach "how to think like a hacker". Your book should open a reader's mind showing original points of view for different situations and problems. Do you think that it is possible to learn this way of thinking, or is just part of some people's personality?

I don't think that ("good") hackers have any special, hardwired mental abilities or specific personality traits, and I do believe you can easily learn to think like a hacker, even when you come from a different background.

The difference between hackers and people who just deal with computers for a living, 9 to 5, is quite simple--hackers share a genuine passion for this stuff, they learn and analyze computers just for fun, and hence can more readily see beyond the taught problems and scenarios, invent or explore.

And so, if you have ambivalent feelings about computer science and just want to get your paycheck, no amount of books or courses is going to turn you into a skillful, passionate enthusiast. On the other hand, if you have the genuine desire to explore computing as a true hobby, you're likely to succeed and become an old-school hacker with (or without!) proper guidance.

I was thinking that often the so-called hackers have other hobbies beyond computers, and that being open-minded and cultivating mental elasticity could explain why they have better results than people who do things just because it's their job. For example, you like to practice photography, and this interest in expressing yourself with images came out when you published your famous research on ISN, where you used a graphical format to spot algorithms weakness. Thinking of the people you met and the hackers you know; does this theory sound good?

I think it's an oversimplification to attribute any special mental skills or capabilities as either a result of or a reason for being a hacker. In fact, I know of several hard-core hacker geeks who have remarkably little other interests or any form of mental or social elasticity. (In fact, they're really hard to get along with, and have very serious problems adopting to everyday situations.)

Also, I don't think that hackers necessarily "have better results" than people who do not fall into this category. It's a comforting thought for us geeks, but I'm afraid this is not very true. Some hackers are either far too obsessed with a particular concept or set of problems, or too disorganized, to outperform well-trained, distanced professionals.

Hackers are generally more determined to do the things they're interested in, for its own reward, that's all.

Sometime ago you played a joke claiming to have founded a company called eProvisia LLC that provided a 100 percent guaranteed antispam service. The very interesting fact was that its antispam technology used human beings who manually analyzed email.

Yes, of course the company is not real; it was just a silly joke that got out of hand (and was carried as a true story by ZDNet, Yahoo, Slashdot, and others).

Pages: 1, 2, 3

Next Pagearrow

Sponsored by: