Interview: Ira Winkler, author of Spies Among Us
David Geer recently spoke with Ira Winkler, author of Spies Among Us. Winkler is also the President of Internet Security Advisor's Group and a former employee of National Security Agency. Following is an edited transcript of that conversation.
You may also listen to the original interview here, or visit our Podcast Center for more audio interviews.
David Geer: What single theme defines you with respect to how you approach security issues?
Ira Winkler: I look at security much more as a process issue. A lot of people tend to say it. I've kind of lived it ... where it doesn't matter to me what sort of process controls or what sort of technical controls are in place. It's the use of the technical controls or the operational controls that actually make a difference with regard to security. You could add the best technology in the world, but the best technology in the world, not used properly, becomes completely worthless and works against you because it gives you a false sense of security. I [also] don't look at computers for the sake of computers. Computers are generally useless. What's valuable about computers is that the information or services they provide. I don't even approach security as trying to make computers secure. I look at security as a way of protecting information as a whole. Another thing that kind of makes me unique is the way I look at things in general. I try to look at the very basics of security, [and] how can [the basics] either be compromised or how can they be better secured?
Geer: You've done security work for the government and you've done it for public corporations. What kind of issues actually appear in both the corporate and government worlds -- things that people might actually be surprised or shocked [to learn]?
Winkler: It all still comes down to the basics. There's a lack of basics inside the government, like there's a lack of basics outside the government.
Unsecured web servers, for example, have been a major pain that's caused a lot of information leakage and a lot of embarrassment. Ways you set up and give out information. Private companies don't have good policies in place in much the same way that we've seen leaks in the Federal Government, because again, the processes and the policies in place are not really that great.
It's the little thing[s] that allow the most sophisticated attacks to be big. So when we see loss of information about individuals in the government, we see it in the private sector as well. And when it happens in the private sector, that information then involves many, many more people than the leak in the government. So that's one issue. But I've also seen cases in the private sector where, for example - you know, I've seen foreign intelligence agencies target companies and corporations. In one
pasmith
Kindle news: pricing, business models and ... source code?
mulderjoe
Cell phone gaming: In search of good mobile games
jfruh
The guts of the iPhone 3GS
Enter your caption for this week's cartoon! The winner will receive a $25 Amazon gift card. Go now!
Essential JavaFX
Get started building rich Web apps quickly with an introduction to the power of JavaFX key features -- scene node graphs, nodes as components, the coordinate system, layout options, colors and gradients, custom classes with inheritance, animation, binding, and event handlers.Enter now!
The Nomadic Developer
Consulting can be hugely rewarding, but it's easy to fail if you are unprepared. To succeed, you need a mentor who knows the lay of the land. Aaron Erickson is your mentor, and this is your guidebook. Enter now!
