Interview with Eugene Spafford

TrustBearer is located in Indiana and—as it might be expected— several members of the company, including the company’s founder, are graduates of Purdue University, in Lafayette, IN. A couple of TrustBearer’s Purdue alums studied at the Center for Education and Research in Information Assurance and Security (CERIAS), under the direction of Gene Spafford.

Gene Spafford is a well-known programmer, researcher, and educator in the field of computer and information security. He is perhaps best known for his analysis of the first internet-distributed worm in 1988, the Morris worm. He also has a knack for punch security metaphors.

Spafford was recently interviewed by Tom Field of the Information Security Media Group. It’s a thoughtful, thorough interview, which is well worth sharing. The subject of the interview concerns information assurance education. Spafford was asked about the current state of information assurance:

SPAFFORD: Well, it is still rather chaotic. There are a range of issues and priorities within the field where education can be directed; some of the education is directed towards people who are practitioners, who are going to be on the front lines running systems. Some are oriented towards management-type positions that are setting policies and ensuring compliance. And there still is a community focused on the research aspects, more how to solve problems that are just emerging.

We don’t really have a common curriculum that runs across these, although there are a couple efforts that are underway to try define parts of it, and it is isn’t really certain what the best practices are, what the background expertise should be for these positions. So it is still an area that is evolving quite rapidly.

In the interview, Spafford also talks about how information assurance and security have changed over the past couple of decades:

When I really saw the start of this field in the late 80’s and early 90’s, most of the people who were involved had a deep understanding of issues of machine architecture, encoding, network protocols, and really understood the systems at a low-level. What we see now for many educational institutions is they are focusing on high-level applications, web security, JAVA, running prepackaged firewalls and IDS systems, and many of the people going to that educational path are not exposed to those low-level details, even though some of the attackers are exploiting those low-level details. So we have seen a split off of that kind of expertise in two areas, both the research arena and also some in the forensics arena.

But of course the field has also grown; the level of threat has changed significantly. If we go from the late 80’s/early 90’s, there wasn’t any commercial use of the Internet, and it didn’t have the global reach it does now. So the issues of social engineering, fraud, phishing, many of the other kinds of false information presentation and mailed-around exploits didn’t exist back then. So we have seen a huge evolution in the threat picture, in the target set, and in the overall understanding of what security in computing is all about.

Related Links

Spafford Interview on C-SPAN An expansive (30 min) general interest interview with Spafford on the state of internet security and identity protection.

Do We Need a New Internet? New York Times piece on the future of internet security, including a discussion of Spafford’s work.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s