Security Threat Analysis: Interview With Dino A. Dai Zovi

By Alan Dang
published

We sat down with Dino A. Dai Zovi, a security researcher focused on offensive security and former member of the Sandia National Laboratories' Information Design Assurance Red Team (the guys who test the security of national agencies). Check it out.

Taking Down The Internet

Alan: Would you specifically recommend Chrome for Vista and Windows 7 users then?

Dino: If security is your highest priority, I would recommend Chrome for any user on any operating system that it supports. Chrome has leap-frogged the other Web browsers in terms of security due to its innovative multi-process sandbox model. Chrome is even more secure on Windows Vista and Windows 7.

Alan: What browser should we be using on the Mac or Linux?

Dino: If security is your highest priority, I’d recommend using lynx.

Alan: It’s that bad, huh?  What do you use personally on your Mac?

Dino: It depends on which Mac. I run Safari, FireFox, and Chrome within a Vista x64 VM on VMware Fusion. I like Safari's UI and polish so I use that for casual Web browsing because I'd be less concerned if an attacker gained access to my Twitter and Facebook account than my other private personal data. I use FireFox for that more sensitive Web browsing such as financial sites, etc. On my secure development machine, I surf the Web using Chrome within a Vista x64 VM on VMware Fusion. Good data separation takes a little work, but it's not too much to recommend that most users do their online banking from a different machine than the one that their children use to play games on the Web. For that, I'd recommend that users keep an old machine around with a clean install of the operating system that is only turned on when needed and that they patch it before surfing the Web with it.

Alan: That’s a great tip. One last question: in 1998, the members of L0pht testified in front of the US Congress that a committed team of hackers could take down the entire Internet in 30 minutes. Security has certainly improved and the Internet has certainly gotten bigger, but the attackers have gotten more sophisticated too. Do you think that statement still holds today?

Dino: Yes, and I probably shouldn’t say much more about it than that. Unfortunately, the Internet is more fragile than we would like to think and a lot of its core protocols require a redesign with security in mind.

I apologize for the sometimes short and vague answers, but this business often requires a high degree of secrecy in order to protect clients and users.

Alan: I completely understand. Thank you for your time. It was pleasure.

Alan Dang
25 Comments Comment from the forums
  • cruiseoveride
    Wonder why he didnt mention SELinux
    Reply
  • mrubermonkey
    If it were so easy to "take down the Internet" I am sure Iran or China would have done it by now, but the vagueness of his last answer does add to the mystic of his image.
    Reply
  • AlanDang
    Not really -- the black hats make money off the Internet -- it doesn't help them. By definition though, the risk is always about "taking down" a few IXP's or the +1 nodes.
    Reply
  • "Selectively granting privileges to enhanced functionality to Web sites is an area where most Web browsers can improve".

    They may not be core functions but everyone I know who is concerned with security on the Internet uses Firefow with the add-ins Noscript & Flashblock.
    Reply
  • vaskodogama
    mrubermonkeyIf it were so easy to "take down the Internet" I am sure Iran or China would have done it by now, but the vagueness of his last answer does add to the mystic of his image.I am from Iran, All the Iranian Goverment can do, is blocking porn and politics web sites! :D
    Reply
  • pcworm
    I'm also from Iran , come one, we still connect using bloody dial up, you guys cant be serious! although due to the "no copyright" law we can buy Windows, Mathlab, VS 2008 team System,office 2007 and a lot more for less than a dollar each...:-) you dont need broadband here cause piracy is official
    Reply
  • Gutbop
    Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.

    Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that?
    Reply
  • Gutbop
    Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.

    Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that?
    Reply
  • Gutbop
    Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.

    Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that?
    Reply
  • I am a Mac user as well. I also use many versions of Windows and Linux in VM. I am not a security expert or anything but why is everyone hung up on someone taking down the internet. Hackers use the net to make money or prove a point. I don't think they are going to shut the net down and hold it hostage, who would be forking over the money anyway. And if they did it to prove a point how would they ever get recognition for the task when all communication stops.
    Reply