LinuxQuestions.org: Interview with Brian Hatch
Oct 31, 2003, 11:30 (0 Talkback[s])
WEBINAR: On-demand Event
Replace Oracle with the NoSQL Engagement Database: Why and how leading companies are making the switch REGISTER >
[ Thanks to jeremy for this link.
LQ) Tell us a little bit about yourself. How did you end up a
security guru? Any advice for people who are interested in starting
in "the business"?
"BH) I was always a paranoid security freak, though I didn't
know it until much later. Even when I was 6 or so I had home-made
locks on my bedroom door, Tripwire-like devices I could use to see
if someone had opened my closet, and other stuff that was very
unnecessary for someone with nothing interesting whatsoever.
Building better and more foolproof and complicated systems was
great fun for me, even if none of it was useful in the least.
"Advice? If you want to get into security, you must build an
immediate distrust of everything you hear and see. (This also works
well when listening to politicians.) When developing anything, be
it your security policy or your random email signature generator,
you need to take the stance 'What could go wrong? What weird
situation/input/etc could cause this to fail? Have I set up enough
barriers? Have I checked the exit status of each and every command,
including 'print/printf'?' Never assume that something you write
for a normal user will never be run by root, for example. Never
assume something that, today, is only executable by trusted
administrators will never be accessible to an attacker. Perhaps
those admins become untrustworthy, or their account gets
compromised, or you need to allow access by less-competent