We sat down with Bellovin, who caught his first hacker back in 1971, to talk about his book. vpnMentor: What made you write Thinking Security? Bellovin: For years, I’ve been saying that the worst thing to do in technology is to give yesterday’s answer to today’s questions. Technology changes; why should the old answers be right? Authentication is a classic case in point – the standard advice to “pick strong passwords” dates to 1979, a time when many people were using hardcopy terminals and had no local computing or storage capability, and might have to remember three passwords. None of that is true today – why should the advice remain the same? Anyway – I saw one too many pieces of bad advice on authentication and started to write something. But I was on sabbatical then, so I had the time to write a book – and there were other issues where I kept seeing the same phenomenon: firewalls (and recall that I co-authored the very first book on that subject, in 1994), PKI, cloud computing, and more. The problem was that no one was teaching people to think beyond the checklists. I’ve been trying to teach just that to my students, but there aren’t really any good texts that do that. I decided to write my own book. vpnMentor: What new knowledge did you gain while writing this book? Bellovin: That’s a remarkably hard question to answer. Any time you write a book, you’re forced to learn the fine details of anything you cover, even in an area you know well. Take firewalls, for example. I’ve been working with them for a very long time – I co-authored the very first book on them, in 1994, and have done further work on them since then – but ruminating on what, fundamentally, firewalls are and what they’re good for led me to some new insights on their role in collaborative projects, and on how to do proper logging in such situations. For that matter, authentication is far more subtle than I had thought, even though it was a desire to dispel myths about it that led me to write this book in the first place. I have some forthcoming papers examining what, in essence, identity is, and what the real risks are for various authentication schemes. Thinking Security: Stopping Next Year’s Hackers is available for purchase on informit.com. Click here to read the first chapter of Thinking Security.
