Cigital

Gary;

Thanks for the interview here with Dr. Bishop. I am currently in one of my core classes in my doctorate in Business Administration in which I am specializing in the Computer Security aspect. My goal is to eventually teach Computer Sciences at the college level once I finish the degree in 2012. My current class is utilizing Dr. Bishop’s “Introduction to Computer Security”, so it was a pleasant surprise to hear his thoughts on the field in general.

Gary, I’ve heard you say several times in the various podcasts that you believe that breaking systems is more popular because it is much “sexier” than the security side. In a way, I agree with you — but in another manner, I have to disagree. Breaking systems, in my opinion, is much easier to do than building systems. its typically the nature of human beings to take the shortest, easiest way to achieve any particular goal. Since breaking things is easier than building them — hacking/cracking is the more alluring path for individuals to take. Yes, the movies, fiction novels, and even the exploits of individuals such as Kevin Mitnick glamorize and romanticize the hacker/cracker into something akin to a technological “Robin Hood” figure. However, I maintain that its the ease of which breaking things can be done versus the difficulty in which it takes to build secure systems that makes hacking/cracking more “popular”. Like Avi Rubin noted in your first episode: “the attacker only needs to succeed once.”

Anyways, thanks for your shows. The interviews are absolutely awesome, and provide many points of view that I would never have thought about in regards to InfoSec. New, fresh points of view, in my opinion, are key to gaining better insight into how to defend one’s Network/System/Enterprise.

Tommy

Hi Tommy,

Thanks for your kind words about the podcast. We always enjoy making the episodes, and it is gratifying that others like them too.

On the attacker’s front I guess my position is not as clear as I would like it to be. I am a HUGE fan of building things properly. Check out my book “Software Security” for more . But regardless of that fact, I believe that attacking systems remains more popular. I would rather that it were only equally as popular as building things properly, but human nature dictates otherwise. Last I checked, most humans take “easy” over “difficult” when faced with that decision.

Not surprisingly my book sales reflect the propensity for people to prefer attacking (or rather reading and learning about attacking) over building things properly. My “bad guy books” Java Security, Exploiting Software, and Exploiting Online Games outsell the “good guy books” Securing Java, Building Security Software, and Software Security about 4:1. Go figure.

Thanks for being a loyal listener. And quadruple thanks for your input!

gem

Gary;

Thanks for the fast response! I think you and I are saying nearly the same thing — just using different sets of terminology. But I do appreciate you answering back with your point of view. Your book is definitely on my list of the current “to-get” list.

Also, I was wondering if you might get Scott Moulton or a Data Forensics individual on a future show? Possibly??

Again, thanks for the quick response…keep up the fantastic work with the show.

Tommy