http://www.networkcommand.com/one.txt 4/19/99 So, let's get started with the standard information... There has been some talk on other mailing lists of switching to a paid subscription service -- gotta eat somehow. Bugtraq has always been free, do you have a day job? I assume you are talking about NTBUGTRAQ. Yes, I have a day job although it tends to change it year or so. I've also been lucky that I've always managed to have enough free time to manage the list, which normally takes about one or two hours a day. But let me assure you that BUGTRAQ will always, so long as it is within my power, will be free. BUGTRAQ is about community and the free exchange of information. BUGTRAQ is what it is because of its subscribers. Seems like a rather fast way to kill the list would be to tell pay they have to pay for the privilege to read their own posts. What is the current number of list subscribers on bugtraq now? Twenty seven thousand five hundred. Give or take a few. Sometimes do people send you email just thanking you for what the list provides? Yesterday I thought, "What if bugtraq just went away?? What would we do?" There will be a time when either bugtraq or the open source movement saves lives if it hasn't happened already... Sometimes. Mostly after an "Administrivia" message. There is been people that have joined and don't even realize there is a moderator until one of those posts. It feels nice when people let you know they think you are doing a good job, but as with any position that involves some public visibility there will always be some group that thinks otherwise. Over the years I've learned to run things as I like and not to worry about what people think. If they like how things are being run the list will prosper. If they don't then they will move on and the list will disappear. What was the first computer you were ever exposed to? Compared to some people in this industry/community I would consider myself a late comer to the computer world. I believe my first contact with computers was during middle school where I learned programming using Logo on an Apple IIe. For several years after that I had no contact with computers. Next I took a Lotus 123 and Dbase IV class using IBM PCs. I also obtained access through family and friends to a few macs. The first computer I owned was an Apple II GS. At the time I had little access to any software other than that which came with the machine so I learned Apple BASIC. I truly become involved with computers when I moved to go to college. I brought a 466 DX 50, took some college computer classes and learned about unix. About this same time I become involved with the hacker underground. Did you ever get involved with the BBS scene? Yes but only to a limited degree. At some point I had become interested in the hacker phenomenon. I had seen the movie War Games some years before so it might been the seed that sparked my curiosity. I had done some research at my college's library and come up with several news and magazine articles, including the infamous Esquire article that made Captain Crunch famous. I also read the books Cyberpunk and Hackers. Somewhere I came across a copy of 2600 and brought it. This issue of 2600 had, what else, plans on how to make a red box out of a radio shack tone dialer. I decided to try to build the device so I went down to my local Radio Shack store to buy the part. In the store also buying some parts where to rather curious characters. I asked the attendant for the crystal and some other part. In the mean time the two other guys paid and left the store. When I left the store I found them waiting for me. They asked me what I was building and I replied it was a red box. I asked what they where building and they said a black box. One of them was Intrepid Traveler. Intrepid gave me the number to a local boar. The rather famous Lunatic Labs. It was that encounter and going to the LA 2600 meetings that really got me started in this whole business. After calling LunaLabs for the first time I obtained a list of several other board. For that whole first month I called some other the better known non-local boards in the country. Daemon Roach Underground, UPT, and some others. After my phone bill that month reached several hundred dollars I decided to stop calling long distance boards. I hanged out at LunaLabs and some other local boards but then moved on. I had Net access! What platform/s do you perfer to work with? Why? Linux and Windows NT. Linux for the simple fact that it supports more of the hardware I want to use and more applications. Windows NT I use mostly for applications. Truth is I hate OS wars. They are the dumbest thing in the world. Each OS has its strengths and weaknesses. Use the right tool for the right job, or use the tool you feel the more comfortable with. There seem to be two camps in the security industry right now. There's one camp that thinks they are secure or close and the other that is just waiting for the killer app and understands the damage it could cause. That melissa virus really freaked people out, but if you know anything about security you know melissa was nothing compared what could be coming. Do you think the second camp is right, or alarmists? If there is any camp that thinks they are secure then I must have missed them. But I don't think we are doomed either. For the longest time I wondered why no one had written a new worm. After all its not really that difficult. But the reality is that even with Microsoft dominance of the OS market we live in a very heterogenous world. Writing a worm that can infect more than one OS is more work. Writing a worm that can infect all OS and different version of the same OS is a very large task. Even the DNS ADM worm floating around didn't do much. To many flavors to take care of them all. Even by all accounts the Internet Worm didn't really spread to a majority of the Net back then. The thing could only really infect to flavors of UNIX. Yet even if we are not looking at a doomsday scenario a good number of people could be inconvenience by a large enough attack. Melissa did not infect anywhere near a majority of net user. Still it was a large number. Should that guy who wrote it be held responsible, or microsoft for writing insecure software, or the end user who runs it because they are ignorant? I don't believe the guy who wrote it so be held any more responsible than than someone how publishes bomb recipes (or cookie recipes for that matter). The person that released the virus to the wild should be held accountable although the fact that it wasn't malicious should be taken into account. Microsoft should be held accountable as well. They will of curse reply that they simply add feature because customers ask for it. Yet when you reach the monopoly Microsoft has reached you have the obligation to do what is best to the consumer, even if it means telling them they can't have some feature. Finally, the consumer should be held responsible as well. They continue to base their purchasing decisions solely on an applications feature set without taking into account security implications. Do you feel the quality of virii and hacks are going to increase as we approach y2k and move past it? The number of knowledge people will increase so the number of quality virii/hacks will increase as well. But the addition of the "hacker" figure to the pop culture pantheon of rebels will also increase the number of clueless people that call themselves hackers, therefore the percentage of quality virii/hacks will decrease. Do you think we are going to see an increase in foriegn governments using the internet to harm their enemies? We will see an increase of intelligence gathering activities by government entities but I doubt it would develop into "net war". After all their computers are just as vulnerable as ours. I guess we go back to the doctrine of mutually assured destruction. Of curse this assumes their society is as dependent on the net as ours is. Although I feel like I have more access to information now (news reports from alternate sources, video of human rights violations, etc.) I still feel like I'm missing the same piece of the puzzle, if you know what I mean. Take China for instance. Their current government has created an Orwellian 1984 -- and proved that history repeats. They have created the Great Firewall of China and are executing people for acts conducted over the net. Singapore is proxied -- the whole country. I can't even imagine what that would be like. Do you think the oppression can continue, or... I think the Net is a wonderful tool to bring down such regimes. Before it the TV had a similar impact. It had the effect of introducing foreign ideas that are difficult to control into those environment. I think they problem you are seeing is that you are excepting change to occur overnight. That is very unlikely. I takes at least a whole generation for the young people that embrace this ideas to come into power. You also have to understand that those societies are not as wired as ours. The people with net access in those ares then to be either the elite, the ones in power or the rich. Not exactly those that you want to reach. I see things moving in the right direction but it will take time. Do you have any info on the cDc's Chinese emailer app? I guess it returns censored web sites via email. No. Although it sounds like a wonderful took. Do you believe Open Source is the only way to be secure? Theoretically yes. In practice it can actually be a hindrance. The common example is comparing the number of Linux exploits to say Solaris. The are many more Linux exploits among other things because people can read the source. Now in theory since we have the source everyone should have audited it and fixed any problems, but how many people actually do that? In theory you can also find vulnerabilities in a closed source system, but in practice its more difficult. So security through obscurity can help, its just that you should never depend on it. Does this mean we should give up on open source? No. It just means we have to strive at doing better auditing of it ala OpenBSD or the Linux Auditing Project. Marcus Ranum has some very good ideas on how open source can actually burn you. That was an interesting discussion about this issue on the firewall mailing list with regards of the availability of the Gauntlet firewall source code. The source code has been available to any customer for years (until recently), but how many people actually bothered to look at it and send in bug reports? No many. Everyone want to live in an utopia. To bad we live in a practical world. Know anything about Quantum Cryptography? Just some basic concepts. Nothing I would want do describe for fear of taking about something I don't really know about ;) What's up with your web site underground.org? It's a pretty picture but everyone wants to know if there is some skunk works going on back there... There is nothing there but the picture. Underground was a fairly popular security archive in the past. Over time it grew to the point it became difficult to maintain and I let it rot. At some point in the future a hard drive crash took the web server down. All the information in the site was so dated that I decided to keep it down. I been working on a new version of the site for a very long time now. I can't say when it will be ready. It's a lot of work and not very fun at that. Who is Jennifer Myers? The person that runs that defacto BugTraq archives at geek-girl.com. She's had no formal relationship with BugTraq.