(Source: http://www.info-sec.com/internet/99/spafprofile.shtml, 1999) Eugene Spafford sees security as serious business…nicknames, aphorisms and practical jokes notwithstanding. BY ANDY BRINEY
Imagine you’re about to meet Eugene Spafford for the first time. If you’ve worked in the field of information security for any time at all, you’ve probably heard something about the man: his role in the development of Usenet, or his work at Purdue University’s COAST Lab, or his contributions to programs like COPS and Tripwire. Maybe you’ve read Practical Unix & Internet Security or Web Commerce & Security, books he co-authored with Simson Garfinkel. Or, perhaps you heard about his recent appointment as director of CERIAS (pronounced “serious”), Purdue’s new Center for Education and Research in Information Assurance and Security, a first-of-its-kind initiative funded in part by a three-year, $4.9 million Lilly Endowment grant this past January.
You also know that most people refer to him as “Spaf”—probably even some of your co-workers, who, like you, have never actually met him. Ah, but there lies the rub: Spafford doesn’t know you, and you’re the one about to meet him. So you’re inclined to address him as “Professor Spafford” or “Dr. Spafford.” Or at least “Eugene.” Certainly not “Gene.” Definitely not “Spaf.”
The reason for your initial uncertainty— aside from a simple desire to be polite—probably has something to do with Spafford’s appearance. With his colorful bow ties and graying red beard, he definitely looks like a highbrow intellectual, and after a dozen years on the faculty of Purdue’s Computer Science Department—including the last six as project director of the Computer Operations, Audit and Security Technology (COAST) lab—he has no doubt earned the right to be called “Prof. Spafford,” by anyone inside or outside the academy.
But the bigger reason for your uncertainty probably has to do with Spafford’s reputation as a hard-nosed purist who refuses to compromise on his ideals—things like duty, professional ethics and social responsibility. In his campus office in West Lafayette, Ind., there’s a quote from Mark Twain hanging on the wall. “Always do right,” it says. “This will gratify some people and astonish the rest.” Spafford has a clear vision of what is right and wrong in the world of information technology and security, and he’s not shy about telling anyone about it.
Of course, that puts some people off, especially those who know him only through the tone-dead medium of electronic messaging. Thousands of people first “met” Spafford online during his 12-year stint as overseer of the Usenet “new users” postings, a volunteer job that brought him a great deal of satisfaction…and aggravation. From 1982 to 1994, he wrote FAQs for newbies, issued advice on ’Netiquette and even helped design new Usenet group categories and naming structures. But as Usenet exploded in the late ’80s and early ’90s, it quickly became unmanageable, despite his best intentions. Some users began pushing him to designate newsgroups “designed to offend or annoy others, or with a lack of concern about the possible effects it might have on the ’Net as a whole,” he says. At one point, after taking a stand against anonymous remailers, he started receiving death threats from miscreants calling him at 3 a.m. blathering on about censorship. He knew then it was time to quit.
Today, an ongoing battle with a repetitive stress injury (RSI)—a painful numbing of the wrist nerves brought on by years of keyboard jockeying—has sharply curtailed his ability to type at all. When he does, the messages are usually short and to the point. When you take this all together—complex ideas not easily communicated in short messages across a cold medium—Spafford can come off as a little demagogic. “There’s a lot of people who think I’m inflexible, or that I’m harsh and severe,” he admits. “The electronic medium is hard to use.”
So, as you prepare to meet Spafford in person, there’s all this baggage hanging out there, including this silly issue of how to address him. As it turns out, all the pretense is quite silly, because one-on-one, Spafford is a friendly, effortless conversationalist who can draw you into any topic of discussion, leading you along like the consummate teacher. By all rights, “Prof. Spafford” is appropriate. But somehow it just doesn’t fit. Soon you, too, find yourself calling him “Spaf.” It feels awkward not to.
Spaf doesn’t seem to mind. “He’s a listener instead of a compulsive talker,” says Gene Schultz, an adjunct professor at Purdue. “He very seldom misunderstands what someone says. He’s very reflective—not just on things in the field, but on everything. He’s always looking at the other side of the analysis.”
Spaf can talk your ear off about system reliability or fault-tolerance, but he’s just as comfortable discussing philosophy, or business, or psychology, or medicine…or whatever. One glance at his bedside table bears this out: he’s reading Dorothy Denning’s new book, Information Warfare and Security, but also a collection of essays by Louis Grizzard, a translation of Sun Tzu’s The Art of War and a treasury of sayings and stories by his mainstay, Mark Twain.
“What’s unusual about him is that he’s not just a byte head,” Schultz says. “Technically, he’s one of the best in the field, and there aren’t many topics in the field of information security he doesn’t know about. Too many people who’ve made their mark made it only in one area. This guy’s the complete player.”
Lance Hoffman, director of the Cyberspace Policy Institute at George Washington University, agrees. “If they had Oscars for computer security, Spaf would sweep most of the awards—things like ‘Number of Important Projects Worked On,’ ‘Impact on Policy-Related Matters,’ ‘Overall Impact on the Field,’ and so on,” he says. “I’d find it hard to beat him in any of those categories.”
The other thing is, for someone who’s supposed to be such a curmudgeon, the guy’s pretty funny—not funny weird, but funny ha-ha. Around campus, for instance, he has a well-earned reputation as an incurable practical joker. Mike Atallah, another Purdue colleague, tells about the time Spaf duped about a dozen colleagues on April Fool’s Day 1989. Seems Spaf sent them all a letter on “official-looking” FBI stationary. Signed by “Special Agent Baer,” the letter asked them to contact the FBI field office in nearby Indianapolis regarding “an urgent national security matter.” If Agent Baer wasn’t available, they were to ask for Agent Lyon instead. So, they all diligently called the phone number provided, only to be puzzled when they kept reaching the Indianapolis zoo. Then they noticed the agents’ full names: Theodore “Teddy” Baer and George C. Lyon.
That Spaf focused his career on information security in the first place is more a matter of circumstance than master planning. He has dabbled in security since his early days at Georgia Tech, but it wasn’t until the Morris worm hit the ’Net in 1988 that Spaf got serious. Up to that point, published scholarship in computer security tended to be highly theoretical, focusing on the bits and bytes of flaws and vulnerabilities. In the Morris worm, Spaf saw a perfect opportunity to educate the industry about the practical implications of security threats and vulnerabilities—their impact not just on technology, but on business process and social dynamics as well. “My experience has been that the most significant problems, the ones that are the hardest to deal with, are not the technology issues,” Spaf says, “but the issues of awareness, cost, education, ethics and use.”
The resulting treatise, “The Internet Worm Program: An Analysis,” was highly acclaimed both inside and outside the academy. The paper also set the tone for much of Spaf’s research in the ensuing 10 years, the bulk of which has been conducted under two programs: the Software Engineering Research Center (SERC), an NSF-sponsored, multi-university co-op devoted to the development of tools and methods for improving software quality; and COAST, the Purdue CS lab that focuses on security for legacy computing systems.
Spaf has directed more than 40 research projects at SERC and COAST since 1988, some more widely known than others. You may not have heard about projects such as OPUS, which explored better ways to control passwords; or IDIOT, a new approach to misuse detection. Then again, you’ve undoubtedly heard of COPS, the popular audit and vulnerability assessment tool; and Tripwire, a widely used integrity-monitoring tool for Unix (and now NT) operating systems.
When you take a step back and examine the body of this research, three themes emerge. The first is utility, an insistence on developing practical methods and tools that address real-life problems. Such a focus seems like a no-brainer in today’s application-driven industry, but in academia it hasn’t always been so. From 1990 to 1994, for instance, Spaf and several students worked on a project called Spyder, which studied new methods for improving software debugging and testing. At the project’s conclusion, they wrote up the results and even offered the software free to commercial developers. To their amazement, “nobody looked at it,” Spaf says. “It made no difference. For someone like me, that was very frustrating.”
Which brings us to the second theme: accessibility. One of reasons Spaf has remained in academia—despite the fact that he could make three or four times the salary by crossing over to industry—is a desire to improve not only the industry’s approach to system design, but the general population’s awareness of security as well. “Some of the things I’ve been doing all along have been trying to make information more available,” he says. “I don’t want to make a product that someone’s going to use for 15 years and then it goes away. I want to do something over the longer term by actually changing the population.”
This meant changing, first and foremost, the way the industry itself perceived security. “For a very long time, infosec was a cloistered area. We didn’t talk about security problems, and we didn’t talk about security issues,” Spaf says. “The tools were highly restricted, and we didn’t share them with anyone. To me, from the standpoint of software quality, if you can’t get the information, you can’t fix things.”
Take COPS, for example, the audit tool developed by Dan Farmer under Spaf’s direction. Until COPS was released in 1990, system vulnerability assessment tools were virtually nonexistent for general public consumption. Several commercial firms were working on proprietary solutions, but none was willing to share the technology with anyone else. “Everybody believed that if you had a tool like that, people would use it to break into systems,” Spaf says. As the first publicly available audit program of its kind, COPS “helped change the public attitude about work that had an application component rather than a highly theoretical one.”
The third theme of Spaf’s work is the most obvious one: education. Both of his parents were teachers, and despite all his other commitments, Spaf says he still gets a thrill out of “seeing that light bulb go on” in his student’s minds. “It’s a sense that you have thrown a pebble into the pond and the ripples are going to go much further than you could possibly ever tell.”
The Purdue alumni who have studied under Spaf make up a veritable Who’s Who of infosecurity’s next generation. In addition to COPS’s Dan Farmer, who went on to develop the SATAN system scanning tool, there’s Gene Kim, lead student researcher on the Tripwire system and now vice president of Tripwire Security Systems, which sells commercial UNIX and NT versions of Tripwire; Ivan Krsul, a repeat winner of Purdue’s Maurice Halsted Software Engineering Award, now a professor and entrepreneur in his native Bolivia; Steve Chapin, a Purdue Ph.D. recipient, soon to join the faculty at Syracuse University; and dozens of others, the industry’s best and brightest, now working for the likes of Telcordia Technologies, HP, Nortel, Fed Ex, IBM, Cisco, Sun, Intel, Motorola, Microsoft and several U.S. government agencies.
Spaf Gets CERIAS
All of which brings us full circle to Spaf’s latest coup: CERIAS. In grand and storybook fashion, CERIAS encapsulates all that Spaf has worked for professionally and personally. Drawing on resources and faculty from eight university departments, the Center will explore not only the technical issues in computer and network security, but also public policy as it relates to security, the economics of information assurance, computer crime investigation and response, infowarfare issues, and the social, legal and ethical aspects of information. The Center, which absorbed the work of the COAST lab on Jan. 1, 1999, initially plans to award an interdisciplinary master’s degree in information security, and eventually a corresponding Ph.D.
Never one to rest on his laurels, Spaf sees CERIAS not as the culmination of his efforts, but as a springboard to even bigger and better things. By fortifying infosec’s connections to larger social, economic and cultural issues, he hopes to engender no less than a society-wide awakening to the role of security in the Cyber Age. “I hope to get enough of the end-user population aware of security issues that they start becoming informative, active consumers,” Spaf says. “We have a lot of technology that we can use to make things safer. But nobody demands it in their products. That needs to change, and that’s what I’d like to accomplish in the long run.”
Andy Briney is editor of Information Security.