Security Threat Analysis: Interview With Dino A. Dai Zovi
Table of contents
- 1. Introduction
- 2. More Than Meets The Eye
- 3. Risk Versus Exploit Versus Vulnerability
- 4. More On Sandboxing
In our continuing series on personal computing security, today we’re talking with Dino A. Dai Zovi. Three years ago, the organizers of CanSecWest started a contest titled Pwn2Own. This contest involved the challenge of exploiting fully-patched retail laptops. Hack the laptop and you’d win the machine as the prize. Dino A. Dai Zovi was the first person to take down a Mac during the first Pwn2Own. Last year and this year, Charlie Miller took the honor of taking down two fully patched Macs. Dino and Charlie are co-authors on the The Mac Hacker's Handbook.
Alan: Thank you for taking the time to chat with us. So, before we begin, why don't you tell a little bit about yourself?
Dino: I am a computer security professional and independent security researcher. My professional experience spans penetration testing, software security auditing, and security management. I am a co-author of two books, the most recent being The Mac Hacker's Handbook with Charlie Miller. I often speak at security conferences about my security research on exploitation techniques, 802.11 wireless client security, and hardware virtualization-based rootkits. I focus on offensive security research because I believe that it is necessary to view systems as an attacker would in order to design more secure systems.
Alan: Is “offensive” security research what’s most commonly practiced now?
Dino: It is in the rarity of the computer security industry, and still considered “taboo” by many practitioners. While some conferences, such as the Black Hat Briefings and CanSecWest, have a large number of talks that discuss security weaknesses, the larger conferences such as the RSA Expo cover it significantly less.
Alan: I did not realize that distinction. Now it makes sense why Black Hat Briefings and CanSecWest always seems to have the most interesting and innovative work being presented. How did you get started in the security business?
Dino: I had begun teaching myself computer security in high school and had been doing some miscellaneous consulting work since then, mostly performing penetration tests for local and remote businesses. That wasn't enough to pay my way through college, so I also worked part-time as a Unix systems administrator. I kept focusing on security in school and at work, and eventually I began working as a contractor for a research lab performing security analysis for their Unix administration group. From there, I was also able to start working for their Red Team and was eventually hired into that group to perform Red Team security assessments for external organizations. After I had graduated from college, I moved to NYC and started working for @stake, the digital security consulting firm that was later purchased by Symantec.
Nice interview. At least someone explains why he likes this better than that. I don't agree in all, but who am I? Maybe now I will give chrome a try. SandBox seems to be very promising, but until now I didn't see all those features they told me when I was at university some years ago. Perhaps those features are finding their way now but very slowly.
I've gotta find out more about these stories of "I taught myself XYZ," this guy prob brings near 6-figs or more if he's doing a lot of private "penetration testing." People are always saying they taught themselves blah blah and paint this picture that everything was 1) 2) 3) 4) in order, so smooth and simple. I'm not buying it for a second. These jobs are extremely competitive and reading a few cert books by yourself and shit, ain't cutting the mustard... Good info to know though, I'd like to see more articles like this, interviewing the unseen/unsung agents in the field of IT-security. Thanks guys.
To v12, I believe it has a good bit to do with timing. It's possible to rise fast without much formal education if you get in when the field is first taking off. Since the IT industry changes so fast, experience early on is enough to get by. But then the flood gates open and you need the education just to help differentiate from everyone else. I know the feeling though and would love a closer look on their backgrounds.
LordGamer, i think you're right. Timing is very important to get you in, and then once you're experienced enough you just keep up since you get so much resources (cuz ur on top) so its hard for newbies to get in even if they are smarter!
Dino im not saying your not good, you seem intelligent, keep going.
thank you all
Was the good samaritan a reference to "Burn after reading" ? God that was a great movie.