Skip to main content

Security Threat Analysis: Interview With Dino A. Dai Zovi

More Than Meets The Eye

Alan: You’re being too humble. You were basically a member of Sandia National Laboratories’ Information Design Assurance Red Team  (IDART). This is the team that gets hired when agencies such as the Department of Defense, Treasury, Interior, or State need to ensure that something like Live Free or Die Hard or 24 (Season 7) doesn’t happen in real life.

I know you can’t go into details, but was this full-on Red Team assessment? In other words, the target you’re testing has no idea that the test is happening, and your team is allowed to use any and all resources such as dropping a USB drive in the parking lot with a Trojan Horse payload and hoping a Good Samaritan will try to identify its owner by plugging it in?

Dino: I can neither confirm nor deny.

Alan: @stake was also a unique company in that its research department was built largely in part with the acquisition of L0pht Heavy Industries. L0pht was really one of the pioneering groups representing “gray hat” hackers. Historically, people talked about “White Hat” and “Black Hat” hackers. The White Hats are supposed to be the “good guys” while the “Black Hat” hackers were the “bad guys.” 

The problem is that many of the “White Hats” thought they were too good and noble to associate or deal with the “Black Hats.” As a result, they would only have a limited base to build upon. The concept held by “Gray Hats” is that the only way to defend against all threats was to understand all threats. At times, this would mean fraternizing with the “bad guys”--but in practice it meant understanding all the threats and then figuring out how to counteract those threats.

What was it like working there?

Dino: @stake employed some of the most talented people in the business and it was a great opportunity to work with and learn from some of the best. I was lucky to have the opportunity to work on some very exciting and important projects for some big clients. Again, I can’t talk about the details of my work there either, except to say that I performed network, Web site, and software penetration tests as well as delivered secure development and security awareness training.

Alan: Well, enough talk about your past. Tell me about your current job.

Dino: I can’t comment on it at this time.

Alan: I'm not surprised. Can you tell me about the computer you’re currently using as your primary system?

Dino: I use a number of computers on a regular basis, but they are almost all Macs. My main systems include a MacBook Pro and a Mac Pro. I have been using Mac OS X primarily on my personal systems since around summer 2001.

Alan: Why a Mac when it's inherently insecure?

Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system just works and lets me get my job done.

I have tended to focus a bit on Mac OS X security since I often had a Mac in front of me and I enjoyed hacking on it. I also clearly have a vested interest in having a more secure platform on the machines storing my data.