It occurred to me recently that I’ve been covering the security industry for just about 10 years. That’s a long time to be doing anything, and especially to be writing about one topic. But it’s hard to think of something that would have been much more interesting to cover this decade, given the huge change in the amount of attention paid to security and the fascinating cast of characters this industry has.
So, given that it’s the end of the Naughties and everyone is looking back, fondly or not, herewith is a list (in alphabetical order, sorry Chris) of some of the more interesting people I’ve had the chance to interview in the last 10 years. It’s by no means a comprehensive list, and the criteria for inclusion were completely subjective and made up on the spot.
Dave Aitel, Immunity
Dave is one of the four or five smartest people I’ve ever interviewed, and not just on matters related to security or technology in general. His posts on the Daily Dave mailing list are always thoughtful and often funny and he has a knack for explaining insanely complex exploitation techniques, concepts and theories in simple language. Dave has the hacker’s mindset, knows how the attackers think and is always looking several steps down the road to see where they might be going next.
Ivan Arce, Core Security
I’m not sure there are too many people around who put more serious thought into their answers in an interview than Ivan does. He doesn’t just throw out a flip sound bite that he knows will make good copy. Instead, he’s much more interested in having a discussion, explaining the reasoning behind his answers and asking just as many of his own questions. That’s a rare thing, believe me. And so is Ivan’s ability to bring context to debates or conversations that often have none, like the full disclosure wormhole. Ask him his thoughts on that. Go ahead.
Dino Dai Zovi, Endgame Systems
I’m always fascinated by people who are prodigies in their field, and I think Dino probably falls into that category. He’s been in the top tier of offensive security researchers for several years, having worked at both @stake and Matasano, is known as one of the top Apple hackers in the game, has two books to his credit so far and is really just getting started. Dino is one of the few researchers who focuses mainly on the Mac and he’s known to be measured in both his praise and criticism of Apple security and has the chops to back his statements up. He’s funny, smart and humble, something that’s almost unheard of among top researchers.
Dan Geer, In-Q-Tel
Anyone who has ever had a single conversation with Dan, or even seen him speak, will understand immediately why he’s on this list. Dan’s as smart as they come (he has a Ph.D. in biostatistics!) and his widely varied background gives him a truly unique perspective on security issues. His talks and answers to questions rarely even mention technology, and his advocacy of better application of the scientific method to the practice of security has helped spawn an entire movement inside the industry. I once called Dan “the dean of the security deep-thinkers’ set” and that doesn’t seem to even do his stature in the security community justice.
Chris Hoff, Cisco
Where to start with Hoff? Best known for his evangelism and criticism on virtualization and cloud security topics, Hoff is among the more entertaining and educationcal speakers on the security circuit. And, more importantly as it pertains to this list, he can fill up a notebook. Hoff has ideas and opinions to spare, and unlike a lot of vendor security folks, he says exactly what he thinks. He also isn’t much interested in letting people get away with opinions that have no thought or reasoning behind them. More than a few times in interviews he’s listened politely to a question I’ve asked, and then said, “That’s not the right question to ask. Here’s why.” Or, “Come on, that’s a lazy question. You can do better than that.” Writers need to hear more of that.
Gary McGraw, Cigital
Like Geer, Gary has a unique view of the security world, one that is informed by his background in cognitive science and philosophy. He just doesn’t come at questions or problems the way that most people do, and that makes for interesting conversations. Gary’s among the top experts on software security, but he’s just as happy to steer the conversation to philosophy, barn-building or music, and then bring it all back to security and tie it up in a package. That is non-trivial.
Bruce Schneier, BT Counterpane
There’s a certain subset of people who will stop reading this list as soon as they see Schneier’s name. That’s fine, I get it. Schneier is among the more controversial figures in the security industry and has more than his share of both fans and detractors. But this list is people who are interesting to interview, and Schneier is right up there. He was among the first people to bring some common sense and critical thinking to the atmosphere of paranoia and panic surrounding security after 9/11 and he’s continued to be among the more credible voices on threats, security, privacy and the ways in which those three things intersect. He talks and writes less about information security than he used to, but his answers to questions are always well thought-out and considered.
Adam Shostack, Microsoft
I first met Adam well before he joined Microsoft and have interviewed and corresponded with him dozens of times over the years, and I’ve learned something new from every one of those conversations. Given that the goal of most interviews is to learn new information, you’d think that would be sort of common. It’s not. In a lot of interviews, both the writer and the subject know exactly what will be discussed and much of what will be said. But Adam, like a lot of the other people on this list, doesn’t let things go that way. Ask him about privacy or threat modeling and you better be prepared to talk about economics, politics or art. Be prepared to be challenged.
Window Snyder
Window occupies an entirely unique place in the security community. Sure, being a woman in the security community is rare enough. But she also commands a lot of respect in this ultra-competitive world, having helped develop Microsoft’s threat modeling process, worked as a security architect at @stake and as the top security exec at Mozilla. I’ve seen some of the smartest and most well-respected researchers in the world ask her opinion on their talks and papers at conferences. And even when she was at Microsoft or Mozilla, she never was afraid to speak her mind and say what needed to be said. I remember being in a conversation with Window years ago and hearing a large gasp from the PR rep in the room when Window went off the script and started talking about specific ways to improve Windows security. The PR rep did not win that battle.
Chris Wysopal, Veracode
Chris was one of the first security researchers I met, in 2000, when he and the rest of the L0pht had just become part of @stake. I’ve probably interviewed him more often than anyone else on this list and he’s helped me with dozens of stories over the years. He always had five minutes to explain why I had screwed something up (often), what a good story angle might be or why an attack, vulnerability or trend was important (or not). He has the institutional memory of having been in the industry for close to 20 years, both on the research side and corporate side and he knows where the bodies are buried.
Others receiving votes: Dan Kaminsky, John Thompson, Whit Diffie, Chris Klaus, Tom Ptacek, Robert Hansen, HD Moore, Dale Earnhardt, Henry Winkler.
