Stephen T. Walker recently died. He was the founder of the pioneering Trusted Information Systems, a prime force behind the establishment of the NCSC (now the Commericial Solutions Center, but also the producer of the Rainbow Series), and he was the recipient of the first National Computer Security Systems Award  His obituary lists his many notable accomplishments and awards. Steve was a major influencer (and mentor) in the field of cyber security for decades.

I only recall meeting Steve once, and I am poorer for not having had more contact with him.

If you work in cyber security, you should read his obituary and ponder the contributions that have led to the current state of the field, and how little we have credited people like Steve with having had a lasting influence.

Today (June 30) is my last day as CERIAS Executive Director. This marks the end of a process that began about 15 months ago, when it was unexpectedly announced that my appointment was not being renewed. Last week, the dean responsible announced the appointment of Professor Dongyan Xu as interim executive director as of July 1. He also announced, to our surprise, that Professor Elisa Bertiino would not be reappointed as CERIAS Director of Research. I wish to express my deep gratitude to Elisa for her support and her participation in the growth of CERIAS; I very much value having Elisa as a colleague.

I will not make any other public comments at this time about this transition other than to voice my unequivocal support of Dongyan, and of the wonderful CERIAS staff. Dongyan is an outstanding scholar and colleague, and he has a long history of active involvement with CERIAS. I helped recruit him to Purdue in 2001 as a new assistant professor working in security, so I am very familiar with his background. He has worked with CERIAS as he has advanced through the academic ranks, so he has the experience — both professional and personal — to handle the job in this time of transition.

Looking back, I have had the honor of working with some incredible people over the last 25 years, first as leader of the COAST Laboratory, and then as the founder and (executive) director of CERIAS. CERIAS participants have set an example of “thinking differently” to effect a profound and lasting set of changes — many of which are not recognized nor appreciated locally; As with most things in academia, the further away one gets from one’s home institution in space and time, the more the value of contributions are understood! It is widely acknowledged outside that our faculty, staff, and students have made a huge contribution to establishing cyber security as an academic discipline.

When CERIAS was founded in 1998, there were only four small academic groups in the world that were devoted to cyber security, and they were all quite small. CERIAS was established to help build the field, establish leadership, and investigate new ideas, all while embracing the spirit of the land-grant university to perform research in the public good. In the years since then, our local community has:

• grown our participating faculty to over 100, with visitors and senior grads of at least as many again
  
• assisted over a dozen other universities, and dozens more smaller institutions, develop curricula and degrees in the area
• initiated research into hundreds of new topic areas, bringing in over $100 million in externally funded research
• supported several dozen companies and government agencies in our partner program, with research, policy, and hiring

What is more, we helped show that the whole field of cyber protection is really multidisciplinary — it is more than computer science or engineering, but a rich area of study that includes a range of disciplines. Over the last 18 years, we have had faculty from 20 different academic departments participate in CERIAS activities…and still do.

Also back in 1998, there were few programs producing graduates with concentrations in cyber security. I did a survey for some Congressional testimony at the time, and found that only about 3 PhDs a year were being produced in all of the US (and almost none elsewhere) in the field (excluding cryptography). Although not explicitly part of CERIAS, which is a research-only entity, CERIAS participants also:

• helped produced 250 new PhDs in cyber security, cyber forensics, and privacy, and many more hundreds with MS degrees
• established the first graduate program with an explicit information security degree
• established a graduate certificate in public policy and cyber security
• established an academic program in cyber forensics

As the (in parallel) head of the Interdisciplinary Information Security (INSC) graduate program, I have seen the synergy between CERIAS and INSC, and pleased to be a part of both.

Looking back, it has been wonderful to see these results, and to work with such a wonderful collection of faculty, staff, and students. Unlike efforts at some other institutions of higher education, our primary goal has not been to generate “buzz” for faculty to start up their own companies, or to see how much funding we could rake in for bragging rights. Instead, we have sought to do the “right thing” by our students and the public: produce innovative ideas and well-educated graduates who could go out to make the world a better place for everyone. By any measure, we have done so.

Coincidentally, not only am I ending my time as Executive Director of CERIAS today, I am also finishing 20 years of service as the chair or co-chair of ACM’s US Public Policy Council. Coupled with some recent personal changes, this has been a very event-filled few months.

Those of you who know me know that I try to look forward more than look back. So, what am I looking forward to?

To start with, I will be assuming the role (and title) of Executive Director Emeritus. In that role, I will be helping Dongyan, Joel, and Jerry with whatever next steps seem right for CERIAS. I will continue to be the head of the INSC Interdisciplinary Graduate program here at Purdue. I have a few PhD students in progress who I will continue to work with. I may restart the COAST Lab with my own set of projects, if I can find some external partners willing to help fund that effort. I will continue to work with USACM as Immediate Past Chair, and serve as an at-large member of the ACM Council.   I will continue to be Editor-in-Chief of the journal Computers & Security (the oldest journal in the field). Thus, I won’t lack for things to do!

Being forced to make changes often encourages us to consider more than we might have, had status quo remained. Times of change are often the best times to make other, possibly major, changes, so some of the above may be subject to change, too! (Ideas -- and offers -- welcomed.)

In closing, my huge thanks to those who have engaged positively with me in my CERIAS role over the last 18 years. And please join me in wishing Dongyan good fortune in his new, interim role.

The nomination cycle for the 2016 induction into the Cyber Security Hall of Fame is now open.

I have attended 10 of the last 15 RSA conferences. I do this to see what’s new in the market, meet up with friends and colleagues I don’t get to see too often, listen to some technical talks, and enjoy a few interesting restaurants and taverns in SF. Thereafter, I usually blog about my impressions (see 2015 and 2014, for example).I think I could reuse my 2015 comments almost unchanged…

There have been some clear trends over the years:

• The technical talks each year seem more focused on superficial approaches and issues: there seemed to be less technical content, at least in the few I observed. This goes with the rather bizarre featured talks by cast members of CSI: Cyber and Sean Penn — well known experts on cyber. Not. (Several others told me they thought the same about the sessions.) Talks a decade ago seemed to me to be deeper.
• This matches some of what I observed at booths. The engineers and sales reps at the booths have little deep knowledge about the field. They know the latest buzzwords and market-speak, but can’t answer some simple questions about security technologies. They don’t know people, terms, or history. More on this later.
• There is still an evident level of cynicism among booth personnel that surprised me, but less than last year.
• There seemed to be more companies exhibiting (both sides of Moscone were full). There also seemed to be more that weren’t there last year and are unlikely to be around next year; I estimate that as many as 20% may be one-time wonders.

This year showed some evidence of effectiveness of new policies against “booth babes.” I talked to a number of women engineers who were more comfortable this year working at the booths. A couple indicated they could dress up a little without being mistaken for “the help.” That is a great step forward, but it needs reinforcement and consistency. At least one tried to come close to the edge and sparked some backlash.

As I noted above, the majority of people I talked to at vendor booths didn’t seem to have any real background in security beyond a few years of experience with the current market. This is a longer-term trend. The market has been tending more towards patching and remediation of bad software rather than strong design and really secure posture. It is almost as if they have given up trying to fix root causes because few end-users are willing to make the tough (and more expensive) choices. Thus, the solutions are after-the-fact, or intended to wrap broken software rather than fix it. Employees don’t need to actually study the theory and history of security if they’re not going to use it! Of course, not everyone is in that category. There are a number of really strong experts who have extensive background in the field, but it seems to me (subjectively) that the number attending decreases every year.

Related to that, a number of senior people in the field that I normally try to meet with skipped the conference this year. Many of them told me that the conference (and lodging and…) is not worth what they get from attending.

(As a data point, the Turing Award was announced during the first day of the conference. I asked several young people, and they had no idea who Diffie and Hellman were or what they had done. They also didn’t know what the Turing Award was. Needless to say, they also had no idea who I was, which is more or less what I expect, but a change from a decade ago.)

As far as buzzwords, this year didn’t really have one. Prior years have highlighted “the cloud,” “big data,”, and “threat intelligence” (to recap a few). This year I thought there would be more focus on Internet of Things (IoT), but it wasn’t. If anything, there seemed to be more with “endpoint protection” as the theme. Anti-virus, IDS, and firewalls were not emphasized much on the exhibit floor. Authentication of users and apps were. Phishng is a huge problem but the solutions presented are either privacy invasive or involve simulated phishing to (allegedly) train end users. Overall, I didn’t see much that I would consider really novel.

There was one big topic of conversation — the FBI vs. Apple encryption debate. There were panels on it. Presenters mentioned it. It was a topic of conversation at receptions, on the exhibit floor, and more. The overwhelming sentiment that I heard was on Apple’s side of the case. (Interestingly, I recently wrote an editorial in CACM on this general topic — written before the lawsuit was filed.)

Overall, I spent 4 days in SF. My schedule was fairly full, but I left this time with the sense that I hadn’t really spent all that time usefully. I did get to see some friends and former students. I got a fresh supply of T-shirts. I picked up literature for our campus CISO. And I have a few leads for companies that may be interested in donating product to CERIAS — or joining our partner consortium. If a few of those come through then I may change my mind.

If you attended the conference this year, leave a comment with your impressions.

It may seem odd to consider June 2016 as January approaches, but I try to think ahead. And June 2016 is a milestone anniversary of sorts. So, I will start with some history, and then an offer to get something special and make a charitable donation at the same time.

In June of 1991, the first edition of Practical Unix Security was published by O’Reilly. That means that June 2016 is the 25th anniversary of the publication of the book. How time flies!

Read the history and think of participating in the special offer to help us celebrate the 25th anniversary of something significant!

History

In summer of 1990, Dan Farmer wrote the COPS scanner under my supervision. That toolset embodied a fair amount of domain expertise in Unix that I had accumulated in prior years, augmented with items that Dan found in his research. It generated a fair amount of “buzz” because it exposed issues that many people didn’t know and/or understand about Unix security. With the growth of Unix deployment (BSD, AT&T, Sun Microsystems, Sequent, Pyramid, HP, DEC, et al) there were many sites adopting Unix for the first time, and therefore many people without the requisite sysadmin and security skills. I thus started getting a great deal of encouragement to write a book on the topic.

I consulted with some peers and investigated the deals offered by various publishers, and settled on O’Reilly Books as my first contact. I was using their Nutshell handbooks and liked those books a great deal: I appreciated their approach to getting good information in the hands of readers at a reasonable price. Tim O’Reilly is now known for his progressive views on publishing and pricing, but was still a niche publisher back then.

I contacted Tim, and he directed me to Debby Russell, one of their editors. Debby was in the midst of writing her own book, Computer Security Basics. I told her what I had in mind, and she indicated that only a few days prior she had received a proposal from a well-known tech author, Simson Garfinkel, on the same topic. After a little back-and-forth, Debby introduced us by phone, and we decided we would join forces to write the book. It was a happy coincidence because we each brought something to the effort that made the whole more than the sum of its parts.

That first book was a little painful for me because it was written in FrameMaker to be more easily typeset by the publisher, and I had never used FrameMaker before, Additionally, Simson didn’t have the overhead of preparing and teaching classes, so he really pushed the schedule! I also had my first onset of repetitive stress injury to my hands — something that bothers me occasionally to this day, and has limited me over the years from writing as much as I’d like. I won’t blame the book as the cause, but it didn’t help!

The book was completed in early 1991 and included some of my early work with COPS and Tripwire, plus a section on some experiments with technology for screening networks. I needed a name for what I was doing, and taking a hint from construction work I had done when I was younger, I called it a “firewall.” To the best of our recollection, I was the one who coined that term; I had started speaking about firewalls in tutorials and conferences in at least late 1990, and the term soon became commonplace. (I also described the DMZ structure for using firewalls, although my term for that didn’t catch on.)

Anyhow…. the book appeared in the summer of 1991 and became a best seller (for its kind; last I heard, over 100,000 copies have been sold in 11 languages, and at least twice that many copies pirated). Thereafter, Simson and I also worked on a book on www security (editions in 1997 and 2002), along with our various other projects.

After several years, we produced a major rewrite and update of the Unix security book to include material on internetworking (a fast-growing topic area). That second edition was published in 1996.

Simson and I had gotten so occupied with other things that we welcomed a 3rd author for the third edition of PUIS (as we came to call it): Alan Schwartz. That edition appeared in 2003 and included many updates, plus extension of the material to cover Linux.

Simson went on to write many other books, started several companies, then went back to school to get his PhD. After a while as an academic, he is now a research scientist with NIST…and occasional tech essayist. Alan has a career as a consultant, author, and professor at the University of Illinois at Chicago. Me? I continued on up through the ranks as a POP (plain ol' professor) at Purdue University, including starting CERIAS.

Given all the various changes, and how busy our lives have become with other things, there are no current plans for a 4th edition of the book. If we were to do one, it would probably need to be split into at least two volumes, given all the changes and issues involved.

Possibly interesting bit of trivia: Simson and I did not know each other prior to late 1990, and we did not meet in person until 1992 — more than a year after the book was published! However, the experience of working together brought about an enduring friendship. I also did not meet Alan until several years after the 3rd edition went to press.

Special Offer

If you have someone (maybe yourself) who you’d like to provide with a special gift, here’s an offer of one that includes a donation to two worthwhile non-profit organizations. (This is in the spirit of my recent bow tie auction for charity.) You can make a difference as well as get something special!

Over the years, Simson, Alan, and I have often been asked to autograph copies of the book. We know there is some continuing interest in this (I as asked again, last week). Furthermore, the 25th anniversary seems like a milestone worth noting with something special. Therefore, we are making this offer.

For a contribution where everything after expenses will go to two worthwhile, non-profit organizations, you will get (at least) an autographed copy of an edition of Practical Unix & Internet Security!! Depending on the amount you include, I may throw in some extras.

The Two Non-Profits

The organizations we’ve chosen are EPIC and the ISSA Education Foundation.

The Electronic Privacy Information Center (EPIC) is a non-partisan, non-profit public interest research center established in 1994 to focus public attention on emerging privacy and civil liberties issues and to protect privacy, freedom of expression, and democratic values in the information age.

The ISSA Education Foundation is a non-profit organization associated with the international Information Systems Security Association (ISSA). It provides scholarships and educational programs on cyber security worldwide.

This offer is thus contributing to two worthwhile organizations — one supporting better security, and one supporting better privacy.

The Offer & Levels

Here are the levels of contribution:

$50

Send your copy of any edition of Pratical Unix Security and I (Spaf) will autograph it, then return it to you.

$75

Send your book along with a suggested inscription, and I (Spaf) will use that along with the autograph, subject to the caveats given below.

$100

I will send you a brand new copy of the 3rd edition with my signature.

$125

Simson and I will both sign your book, and if it is the 3rd edition of PUIS, so will Alan. (If it is a first or second edition of PUIS, Alan will sign it if you ask, although he didn't help author those editions.) If you suggest an inscription, one of us will add it, subject to the caveats given below.

$175

We will provide you with a new copy of the book, signed by all 3 authors, with a suitable inscription.

$250

Same as the previous category, plus we'll toss in one of Spaf's bow ties. (If that doesn't make sense, you haven't been to one of his conference talks or distinguished lectures in the last two decades.) This offer is limited to the first 8 at this level.

$300 or more+

All of the above plus something...make a suggestion. (No, we won't write your project code or hack into the Federal Reserve for you).

Each multiple of $500

We will send you five brand new copies of the latest edition of PUIS, signed by all 3 authors.

As an additional offer, Simson and Spaf will sign and return your copy of Web Security, Privacy, & Commerce for an additional $25 if you include it with one of the above.

We are making no profit on this offer! Anything above what is spent on shipping will get split evenly between the designated organizations. We are donating our time, gas (to drive to the post office), and ink to do this. We will share images of the receipts with anyone who asks for proof.

Don’t have a copy of the book already? Copies are still for sale via O’Reilly, Amazon, Barnes & Noble, and other likely sources. It should be easy to get (at least) one. As noted above, we are willing to do even that for you if you will pledge a sufficient amount for this fundraising drive.

This is an offer that will not be repeated...unless we happen to be around 25 years from now and decide to do this on the 50th anniversary!

This offer will expire at noon on Feb 1, 2016, so participate soon! If you act quickly, this could make the perfect "white elephant gift" for your annual office gift exchange, or maybe an odd stocking stuffer for that certain someone but you must order right away! And if you keep it for a few years, you might be able to use it at an upcoming SCA event!

The Fine Print

• You must provide a check or money order in US dollars with the book(s), made out to “Eugene H. Spafford.” Put “Holiday fundraising offer” in the memo/notes field. Any items sent with an invalid form of payment will not be returned. Alternatively, you can include checks or money orders made out directly to each of the two organizations and we will simply send them on. (The goal is to raise money for these worthwhile organizations and celebrate the anniversary of the book, not to handle a lot of funds!) That will allow you to take the tax deduction, if it is applicable to your circumstances.

• Ship the book(s) with funds to:

  PUIS Anniversary Offer
  c /o Professor Eugene H. Spafford
  Purdue University CERIAS
  656 Oval Dr
  West Lafayette, IN 47907-2086

• Be sure to include your return address! Even better, include a pre-made return address label acceptable to the USPS.

• All signed books will be returned via “book rate” US mail (USPS). If you want something faster, insured, or tracked, then send a pre-paid, self-addressed FedEx, or UPS envelope sufficient to hold the book in a padded envelope. You must do the same for shipment outside the United States! We will not be responsible for damage or lost items sent “book rate” in regular mail.
  

• If you send a contribution for a custom inscription but don’t suggest one, we will make one up. If you suggest an inscription that we find offensive (e.g., “COBOL Rules!”) or legally problematic (e.g, “I embezzled $100 million”) then we will make up something else.

• All contribution amounts beyond what is required for shipping expenses will be split evenly between the two organizations. No handling expenses will be charged (insert your own joke here).

And no, we don’t have books with anything like this cover; We wish we did!!