http://www.networkcommand.com/one.txt
4/19/99

So, let's get started with the standard information...
There has been some talk on other mailing lists of switching to a paid
subscription service -- gotta eat somehow. Bugtraq has always been free,
do you have a day job?

I assume you are talking about NTBUGTRAQ. Yes, I have a day job although
it tends to change it year or so. I've also been lucky that I've always
managed to have enough free time to manage the list, which normally
takes about one or two hours a day. But let me assure you that BUGTRAQ
will always, so long as it is within my power, will be free. BUGTRAQ
is about community and the free exchange of information. BUGTRAQ is
what it is because of its subscribers. Seems like a rather fast way to
kill the list would be to tell pay they have to pay for the privilege
to read their own posts.

What is the current number of list subscribers on bugtraq now?

Twenty seven thousand five hundred. Give or take a few.

Sometimes do people send you email just thanking you for what the list
provides? Yesterday I thought, "What if bugtraq just went away?? What
would we do?" There will be a time when either bugtraq or the open source
movement saves lives if it hasn't happened already...

Sometimes. Mostly after an "Administrivia" message. There is been people
that have joined and don't even realize there is a moderator until one
of those posts. It feels nice when people let you know they think you
are doing a good job, but as with any position that involves some public
visibility there will always be some group that thinks otherwise. Over
the years I've learned to run things as I like and not to worry about
what people think. If they like how things are being run the list will
prosper. If they don't then they will move on and the list will disappear.


What was the first computer you were ever exposed to?

Compared to some people in this industry/community I would consider
myself a late comer to the computer world. I believe my first contact
with computers was during middle school where I learned programming
using Logo on an Apple IIe. For several years after that I had no
contact with computers. Next I took a Lotus 123 and Dbase IV class
 using IBM PCs. I also obtained access through family and friends
to a few macs. The first computer I owned was an Apple II GS.
At the time I had little access to any software other than that
which came with the machine so I learned Apple BASIC.

I truly become involved with computers when I moved to go to college.
I brought a 466 DX 50, took some college computer classes and learned
about unix. About this same time I become involved with the hacker
underground.

Did you ever get involved with the BBS scene?

Yes but only to a limited degree. At some point I had become interested
in the hacker phenomenon. I had seen the movie War Games some years before
so it might been the seed that sparked my curiosity. I had done some
research at my college's library and come up with several news and magazine
articles, including the infamous Esquire article that made Captain Crunch
famous. I also read the books Cyberpunk and Hackers. Somewhere I came
across a copy of 2600 and brought it.

This issue of 2600 had, what else, plans on how to make a red box out of
a radio shack tone dialer. I decided to try to build the device so I went
down to my local Radio Shack store to buy the part. In the store also
buying some parts where to rather curious characters. I asked the attendant
for the crystal and some other part. In the mean time the two other guys
paid and left the store.

When I left the store I found them waiting for me. They asked me what I
was building and I replied it was a red box. I asked what they where
building and they said a black box. One of them was Intrepid Traveler.
Intrepid gave me the number to a local boar. The rather famous Lunatic
Labs.

It was that encounter and going to the LA 2600 meetings that really got me
started in this whole business.

After calling LunaLabs for the first time I obtained a list of several other
board. For that whole first month I called some other the better known
non-local boards in the country. Daemon Roach Underground, UPT, and some
others. After my phone bill that month reached several hundred dollars I
decided to stop calling long distance boards. I hanged out at LunaLabs
and some other local boards but then moved on. I had Net access!

What platform/s do you perfer to work with?
Why?

Linux and Windows NT. Linux for the simple fact that it supports more
of the hardware I want to use and more applications. Windows NT I use
mostly for applications. Truth is I hate OS wars. They are the dumbest
thing in the world. Each OS has its strengths and weaknesses. Use the
right tool for the right job, or use the tool you feel the more comfortable
with.

There seem to be two camps in the security industry right now. There's one
camp that thinks they are secure or close and the other that is just
waiting for the killer app and understands the damage it could cause.
That melissa virus really freaked people out, but if you know anything
about security you know melissa was nothing compared what could be coming.
Do you think the second camp is right, or alarmists?

If there is any camp that thinks they are secure then I must have missed them.
But I don't think we are doomed either. For the longest time I wondered why
no one had written a new worm. After all its not really that difficult.
But the reality is that even with Microsoft dominance of the OS market
we live in a very heterogenous world. Writing a worm that can infect
more than one OS is more work. Writing a worm that can infect all OS and
different version of the same OS is a very large task. Even the DNS ADM worm
floating around didn't do much. To many flavors to take care of them all.

Even by all accounts the Internet Worm didn't really spread to a majority
of the Net back then. The thing could only really infect to flavors of UNIX.
Yet even if we are not looking at a doomsday scenario a good number of
people could be inconvenience by a large enough attack. Melissa did not
infect anywhere near a majority of net user. Still it was a large number.

Should that guy who wrote it be held responsible, or microsoft for writing
insecure software, or the end user who runs it because they are ignorant?

I don't believe the guy who wrote it so be held any more responsible than
than someone how publishes bomb recipes (or cookie recipes for that matter).
The person that released the virus to the wild should be held accountable
although the fact that it wasn't malicious should be taken into account.

Microsoft should be held accountable as well. They will of curse reply that
they simply add feature because customers ask for it. Yet when you reach
the monopoly Microsoft has reached you have the obligation to do what is
best to the consumer, even if it means telling them they can't have some
feature.

Finally, the consumer should be held responsible as well. They continue to
base their purchasing decisions solely on an applications feature set
without taking into account security implications.

Do you feel the quality of virii and hacks are going to increase as we
approach y2k and move past it?

The number of knowledge people will increase so the number of quality
virii/hacks will increase as well. But the addition of the "hacker" figure
to the pop culture pantheon of rebels will also increase the number of
clueless people that call themselves hackers, therefore the percentage
of quality virii/hacks will decrease.

Do you think we are going to see an increase in foriegn governments using
the internet to harm their enemies?

We will see an increase of intelligence gathering activities by government
entities but I doubt it would develop into "net war". After all their
computers are just as vulnerable as ours. I guess we go back to the
doctrine of mutually assured destruction. Of curse this assumes their
society is as dependent on the net as ours is.

Although I feel like I have more access to information now (news reports
from alternate sources, video of human rights violations, etc.) I still
feel like I'm missing the same piece of the puzzle, if you know what I
mean. Take China for instance. Their current government has created an
Orwellian 1984 -- and proved that history repeats. They have created the
Great Firewall of China and are executing people for acts conducted over
the net. Singapore is proxied -- the whole country. I can't even imagine
what that would be like. Do you think the oppression can continue, or...

I think the Net is a wonderful tool to bring down such regimes. Before it
the TV had a similar impact. It had the effect of introducing foreign ideas
that are difficult to control into those environment. I think they problem
you are seeing is that you are excepting change to occur overnight. That
is very unlikely. I takes at least a whole generation for the young people
that embrace this ideas to come into power. You also have to understand that
those societies are not as wired as ours. The people with net access in those
ares then to be either the elite, the ones in power or the rich. Not exactly
those that you want to reach. I see things moving in the right direction
but it will take time.

Do you have any info on the cDc's Chinese emailer app? I guess it returns
censored web sites via email.

No. Although it sounds like a wonderful took.

Do you believe Open Source is the only way to be secure?

Theoretically yes. In practice it can actually be a hindrance. The common
example is comparing the number of Linux exploits to say Solaris. The are
many more Linux exploits among other things because people can read the
source. Now in theory since we have the source everyone should have audited
it and fixed any problems, but how many people actually do that? In theory
you can also find vulnerabilities in a closed source system, but in practice
its more difficult. So security through obscurity can help, its just that you
should never depend on it. 

Does this mean we should give up on open source? No. It just means we have
to strive at doing better auditing of it ala OpenBSD or the Linux Auditing
Project.

Marcus Ranum has some very good ideas on how open source can actually burn
you.

That was an interesting discussion about this issue on the firewall mailing
list with regards of the availability of the Gauntlet firewall source code.
The source code has been available to any customer for years (until recently),
but how many people actually bothered to look at it and send in bug reports?
No many.

Everyone want to live in an utopia. To bad we live in a practical world.

Know anything about Quantum Cryptography? 

Just some basic concepts. Nothing I would want do describe for fear of
taking about something I don't really know about ;)

What's up with your web site underground.org? It's a pretty picture but
everyone wants to know if there is some skunk works going on back there...

There is nothing there but the picture. Underground was a fairly popular
security archive in the past. Over time it grew to the point it became
difficult to maintain and I let it rot. At some point in the future
a hard drive crash took the web server down. All the information in
the site was so dated that I decided to keep it down. I been working on
a new version of the site for a very long time now. I can't say when it
will be ready. It's a lot of work and not very fun at that. 

Who is Jennifer Myers?

The person that runs that defacto BugTraq archives at geek-girl.com. 
She's had no formal relationship with BugTraq.