Security Threat Analysis: Interview With Dino A. Dai Zovi

More Than Meets The Eye

Alan: You’re being too humble. You were basically a member of Sandia National Laboratories’ Information Design Assurance Red Team  (IDART). This is the team that gets hired when agencies such as the Department of Defense, Treasury, Interior, or State need to ensure that something like Live Free or Die Hard or 24 (Season 7) doesn’t happen in real life.

I know you can’t go into details, but was this full-on Red Team assessment? In other words, the target you’re testing has no idea that the test is happening, and your team is allowed to use any and all resources such as dropping a USB drive in the parking lot with a Trojan Horse payload and hoping a Good Samaritan will try to identify its owner by plugging it in?

Dino: I can neither confirm nor deny.

Alan: @stake was also a unique company in that its research department was built largely in part with the acquisition of L0pht Heavy Industries. L0pht was really one of the pioneering groups representing “gray hat” hackers. Historically, people talked about “White Hat” and “Black Hat” hackers. The White Hats are supposed to be the “good guys” while the “Black Hat” hackers were the “bad guys.” 

The problem is that many of the “White Hats” thought they were too good and noble to associate or deal with the “Black Hats.” As a result, they would only have a limited base to build upon. The concept held by “Gray Hats” is that the only way to defend against all threats was to understand all threats. At times, this would mean fraternizing with the “bad guys”--but in practice it meant understanding all the threats and then figuring out how to counteract those threats.

What was it like working there?

Dino: @stake employed some of the most talented people in the business and it was a great opportunity to work with and learn from some of the best. I was lucky to have the opportunity to work on some very exciting and important projects for some big clients. Again, I can’t talk about the details of my work there either, except to say that I performed network, Web site, and software penetration tests as well as delivered secure development and security awareness training.

Alan: Well, enough talk about your past. Tell me about your current job.

Dino: I can’t comment on it at this time.

Alan: I'm not surprised. Can you tell me about the computer you’re currently using as your primary system?

Dino: I use a number of computers on a regular basis, but they are almost all Macs. My main systems include a MacBook Pro and a Mac Pro. I have been using Mac OS X primarily on my personal systems since around summer 2001.

Alan: Why a Mac when it's inherently insecure?

Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system just works and lets me get my job done.

I have tended to focus a bit on Mac OS X security since I often had a Mac in front of me and I enjoyed hacking on it. I also clearly have a vested interest in having a more secure platform on the machines storing my data.

  • cruiseoveride
    Wonder why he didnt mention SELinux
    Reply
  • mrubermonkey
    If it were so easy to "take down the Internet" I am sure Iran or China would have done it by now, but the vagueness of his last answer does add to the mystic of his image.
    Reply
  • AlanDang
    Not really -- the black hats make money off the Internet -- it doesn't help them. By definition though, the risk is always about "taking down" a few IXP's or the +1 nodes.
    Reply
  • "Selectively granting privileges to enhanced functionality to Web sites is an area where most Web browsers can improve".

    They may not be core functions but everyone I know who is concerned with security on the Internet uses Firefow with the add-ins Noscript & Flashblock.
    Reply
  • vaskodogama
    mrubermonkeyIf it were so easy to "take down the Internet" I am sure Iran or China would have done it by now, but the vagueness of his last answer does add to the mystic of his image.I am from Iran, All the Iranian Goverment can do, is blocking porn and politics web sites! :D
    Reply
  • pcworm
    I'm also from Iran , come one, we still connect using bloody dial up, you guys cant be serious! although due to the "no copyright" law we can buy Windows, Mathlab, VS 2008 team System,office 2007 and a lot more for less than a dollar each...:-) you dont need broadband here cause piracy is official
    Reply
  • Gutbop
    Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.

    Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that?
    Reply
  • Gutbop
    Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.

    Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that?
    Reply
  • Gutbop
    Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.

    Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that?
    Reply
  • I am a Mac user as well. I also use many versions of Windows and Linux in VM. I am not a security expert or anything but why is everyone hung up on someone taking down the internet. Hackers use the net to make money or prove a point. I don't think they are going to shut the net down and hold it hostage, who would be forking over the money anyway. And if they did it to prove a point how would they ever get recognition for the task when all communication stops.
    Reply