Posts in General

It’s been 30 years—time to celebrate!

Wednesday, March 02, 2022 by Prof. Spafford in General,

Prolog

In 1975, the illustrious Dorothy Denning received her Ph.D. from Purdue’s CS Department. Thereafter, she became an assistant professor, and then associate professor in 1981. Her most notable advisee was Matt Bishop, who graduated with his Ph.D. in 1984.

Dorothy initiated a graduate class in cryptography, CS 555, using her book Cryptography and Data Security, around 1980. That class is still taught today (with regular updates), perhaps making it the longest-running cybersecurity class in academia.

In 1983, Sam Wagstaff, Jr. (now a professor emeritus) joined the Purdue CS faculty as an expert in cryptography and algorithms. In 1988, Eugene Spafford joined the Purdue CS faculty with expertise in software engineering and distributed systems; Spaf also had a long-standing interest in information security, but not as an academic concentration. (Both Sam and Spaf have taught CS 555 over the years.)

Most of the academic research around the world in the 1970s and 1980s into what later became known as “cybersecurity” was focused on formal methods, authentication models, and cryptography. Some security research was secondary to OS security, database, and architecture, but it was not a particularly distinct topic area in classes or academic research. There were only 2 or 3 universities with any identifiable expertise in the overall topic area, outside of cryptography and formal methods of software development.

COAST

The Cuckoo’s Egg incident in 1986, and the Internet Worm in 1988 helped generate a great deal of interest in more applied security. Spaf had involvement in both, and especially notable in the Worm incident. Subsequent growth of instances of hacking and malware brought increased interest including some funding for research.

Early Purdue successes included release of COPS (developed by Dan Farmer under Spaf’s direction), and the publication of Practical Unix Security, co-authored by Spaf and Simson Garfinkel. Both brought attention to Purdue.

Increased student interest in computing security coursework and external funding from companies and government agencies led to Spaf and Sam establishing the COAST Laboratory within the CS department in the fall semester of 1991. The CS department provided a room for the lab and student office spaces. Four companies made generous donations to equip the lab initially: Sun Microsystems, Bell Northern Research, Schlumberger, and Hughes Laboratories.

The name COAST was suggested by Steve Chapin, one of Spaf’s Ph.D. students. It is an acronym for “Computer Operations, Audit, and Security Tools,” reflecting the more applied focus of the group. Steve was the first Ph.D. graduate from the lab, in 1993.

In the next few years, COAST became notable for a number of innovative and groundbreaking projects, including the Tripwire tool, the IDIOT intrusion detection system by Kumar, vulnerability classification work by Aslam and Krsul, the first-ever papers describing software forensics by (individually and as a group) Krsul, Spafford, and Weeber, discovery of the lurking Kerberos 4 encryption flaw by Dole and Lodin, the firewall reference model by Schuba, and the first online (ftp, gopher, and www) repository of cybersecurity tools; a remnant of that repository with many historical artifacts is available online. Many other people also contributed to notable successes, some of whom are noted below.

In 1992, COAST began to host a regular seminar series of local and invited speakers. That seminar series continues to this day; there is an archive of talk descriptions (from 1994 onwards) and videos (from late 1999 onwards). The series has featured a veritable “Who’s Who” of people in cybersecurity research, industry, and government. The series continues to attract viewers worldwide, and the entire collection is available for free viewing.

Despite the growing interest, in 1997, when Spaf testified before the House Science Committee, there were only three identified academic centers other than at Purdue. Shortly thereafter, continued growth and faculty involvement led to the transformation of COAST into the campus-wide institute CERIAS, in May of 1998. That will be the topic of a later post.

As of now, however, congrats to all the people who contributed to the founding and growth of COAST – celebrating its 30th anniversary this academic year!

Where are they now?

A number of students completed their degrees and worked in COAST, most under the direction of Professor Spafford. Here are a few of them:

Steve J. Chapin; PhD; Lead Cyber Security Researcher, Lawrence Livermore National Laboratories.
Sandeep Kumar; PhD; Staff Engineer, VMware, CA.
Christoph Schuba; PhD; Senior Security Architect, Apple Computer.
Ivan Krsul; PhD; President, Arte Xacta (La Paz, Bolivia).
Sofie Nystrom; MS; Director General at Norwegian National Security Authority.
Saumil Shah; MS; CEO and Founder, Net Square.
Aurobindo Sundaram; MS; Head of Information Assurance & Data Protection at RELX.
Taimu Aslam; MS; CTO at Broadstone Technologies.
Steve Weeber; MS; IP Architect at Windstream Communications.
Bryn Dole; MS; Self-employed, and co-founder of both Topix and Blekko.
Steve Lodin; MS; Senior Director, IAM and Cybersecurity Operations at Sallie Mae.
Mark Crosbie; MS; Dropbox Data Protection Officer.
Jai Balasubramaniyan; MS; ColorTokens, Inc. Director of Product Management.
Katherine Schikore; MS; Software Developer SAS Institute.
Gene Kim; BS; Author, Researcher, Speaker, and co-founder of Tripwire, Inc.
Todd O'Boyle; BS; AWS Consultant.
Keith Watson; BS; Director of Threat Management. Optiv, Inc.
Lucas Nelson; BS; Partner at Lytical Ventures, LLC.
Tanya Crosbie; BS; Owner, Giggles & Smiles Photgraphy.

Leave a comment (0 so far) »

Reflecting on 30 years

Friday, January 14, 2022 by Prof. Spafford in General,

One of my students sent me a weblink (in the story, below). It caused me to reflect a little on the past. Here is some text I shared on a few social media feeds.

30 years ago, when I started COAST (which became CERIAS) at Purdue, we identified a need for personnel trained in information security. There was no academic degree program at the time so we started one. We reached out to over a dozen other universities to help build their programs.

Today, many of the existing programs in the US (and some elsewhere) trace back to what we started; they have Purdue grads as their prime movers.

Now, a quarter of a century later, look at the #1 best job according to US News.

We still have a huge shortfall of people working in the field, but that is a result of many factors, including a "leaky pipeline," not nearly enough support of students from underrepresented groups (including women), and market failure for secure-by-default systems.

I am sure my self of 3 decades ago would be astonished by the growth of the field, yet disappointed that we still have some of these problems. And I would definitely be surprised that CERIAS now has over 120 associated faculty and many hundreds of students involved in research, and a half-dozen degree programs in this space.

This is the 30th anniversary of the founding of COAST. I hope I'm around to see what the 50th and beyond hold!

Leave a comment (0 so far) »

50 Years, and Lessons (Not) Learned

Wednesday, April 21, 2021 by Prof. Spafford in General,

Recently, I had cause to reflect on some of what I have done in my career. As one result, I posted a blog entry about how many programming languages I have learned.

As I was writing that up, it struck me that this is an anniversary year: I wrote my first computer program 50 years ago!

I don't recall the exact program, but it was in Fortran 66, was punched onto cards, and run on a Burroughs mainframe (as I recall, it was a B5700). I was in high school at the time, and enrolled in the advanced math track, so I was offered the opportunity to take an experimental computer course in place of shop class.

Thus, I don’t think I ever got to build that clunky birdhouse in woodworking shop. However, I did get to experiment with checking my pre-calc homework on the computer, and I kept all my fingers. I suspect my programs were as clunky as the birdhouses, although it wasn’t as obvious to everyone else. Taking the course also helped cement my nerd status, ensuring wedgies and no dates for the remainder of my high school career. (This was a result that extended well beyond high school, unfortunately.)

It was a few years later, in college, that I got to do any programming again, then in BASIC on an HP 3000 and assembly on an Altair 8800. However, the prior experience in Fortran gave me a head start over everyone else in the class and I never really looked back. My first CS advisor was a member of the Fortran 77 standards committee so I also circled back around to Fortran before I got my batchelors degree.

All of that experience (and more) was tumbling around in my head when time came to produce a lecture title and abstract. It resulted in the title and abstract, below. I gave this talk in the University of Maryland-Baltimore County UCYBR Distinguished Lecture Series earlier this week.

If you’re curious, you can view the recorded lecture. (I have some other presentations – including one from 1989 – when I had hair – on my YouTube channel page.)

Cyber Lessons, Learned and Unlearned

Dr. Eugene Spafford is a professor with an appointment in Computer Science at Purdue University, where he has served on the faculty since 1987. He is also a professor of Philosophy (courtesy), a professor of Communication (courtesy), a professor of Electrical and Computer Engineering (courtesy) and a Professor of Political Science (courtesy). He serves on a number of advisory and editorial boards. Spafford's current research interests are primarily in the areas of information security, computer crime investigation and information ethics. He is generally recognized as one of the senior leaders in the field of computing.

Among other things, Spaf (as he is known to his friends, colleagues, and students) is Executive Director Emeritus of the Purdue CERIAS (Center for Education and Research in Information Assurance and Security), and was the founder and director of the (superseded) COAST Laboratory. He is Editor-on-Chief of the Elsevier journal Computers & Security, the oldest journal in the field of information security, and the official outlet of IFIP TC-11.

Spaf has been a student and researcher in computing for over 40 years, 35 of which have been in security-related areas. During that time, computing has evolved from mainframes to the Internet of Things. Of course, along with these changes in computing have been changes in technology, access, and both how we use and misuse computing resources. Who knows what the future holds?

In this UCYBR talk, Spaf will reflect upon this evolution and trends and discuss what he sees as significant "lessons learned" from history. Will we learn from our past? Or are we destined to repeat history (again!) and never break free from the many cybersecurity challenges that continue to impact our world?

Leave a comment (0 so far) »

Riffing on the Ph.D. Degree

Sunday, April 18, 2021 by Prof. Spafford in General,

I recenty was having a discussion with someone about the Ph.D. option for a degree here. The person said "I don't want a Ph.D. because I don’t ever intend to do research at a university." Thus began a conversation about how the Ph.D. may be a requirement for most faculty positions, but it is not a sentence connected to the degree! Furthermore, not all faculty positions are primarily research positions.

As an example, of the 23 Ph.D. graduates for whom I have been primary (co)advisor to date, 11 have spent some time as faculty members but only four are still full-time faculty. Six of them currently reside outside the U.S., and six (an overlapping group) have started their own companies. Seven are C-level executives, and another 10 are in senior director/partner-type positions. It is certainly not the case they are all doing academic research at a university!

The Ph.D. is a way of learning how to focus on a narrow problem, develop a comprehensive plan to solve it, and then present the problem and its solution in a formal, convincing manner. Thus, completing a Ph.D. is a way to hone time management and research skills, dive into an area of interest, and prove one's capability to manage a big task. That is useful not only for academic research, but for managing projects, running an agency, and solving problems in "the real world."

I'm proud of all of these graduates for what they did while completing their degrees and then going on to do interesting and important things in their careers. Here's a list with mention of their most recent position:

Hiralal Agrawal; 1991; Senior Research Scientist, Perspecta Labs.
Hsin (Sean) Pan; 1993; Senior Director, Foxconn.
Steve J. Chapin; 1993; Lead Cyber Security Researcher, Lawrence Livermore National Laboratories.
Chonchanok Viravan; 1994; President of Pathanasomdoon Co, Ltd. (Thailand).
Sandeep Kumar; 1995; Staff Engineer, VMware, CA.
Christoph Schuba; 1997; Senior Security Architect, Apple Computer.
Ivan Krsul; 1998; President, Arte Xacta (La Paz, Bolivia).
Diego Zamboni; 2001; Enterprise Architect, Swisscom (Switzerland).
Wenliang (Kevin) Du; 2001; Professor, Syracuse University.
Thomas Daniels; 2002; Associate Teaching Professor, Iowa State University.
Ben Kuperman; 2004; Senior Manager of Software Development, Adobe.
Florian Buchholz; 2005; Professor, James Madison University.
James Early; 2005; Senior Software Engineer, Good Uncle.
Paul D. Williams, 2005; Senior Vice President and Chief Security Officer, Teradata.
Brian Carrier; 2006; CTO and Head of Digital Forensics, Basis Technology.
Rajeev Gopalakrishna; 2006; independent Consulting Researcher.
Serdar Cabuk; 2006; Partner, Deloitte Denmark.
Maja Pusara Jankovic, 2007; Senior consultant, Ab Initio.
Dannie Stanley, 2014; Associate Professor, Taylor University.
Mohammed Almeshekah, 2015; Founder and Managing Partner of Outliers Venture Capital (Saudi Arabia).
Kelley Misata, 2016 (INSC); CEO and Founder, Sightline Security Corporation.
Jeff Avery, 2017; Senior Principle Cyber Systems Engineer, Northrop Grumman.
Christopher Gutierrez, 2017; Research Scientist, Intel Corporation.

I am working with five Ph.D. advisees currently. Four of them are employed outside of academia and intend to stay in those positions after getting their degrees.

If you’re interested in getting a Ph.D. (or an MS) at Purdue related to cyber security, take a look at our information page.

(As a matter of trivia, even though the majority of my former students didn’t go into university positions, there are at least 53 more people who received the Ph.D. with one of the above 23 as primary advisor. Maybe we should start a “Spaf number” similar to the Erdös Number?)

Leave a comment (0 so far) »

So you have to learn a 3rd programming language?

Sunday, March 28, 2021 by Prof. Spafford in General,

I recently found myself in a conversation where someone made a comment about "Being so old I've programmed in Pascal!" I'm considerably older than that person, and actually did some of my first programming on plugboards and punchcards. I declined the opportunity to point that out at the time.

Upon some reflection, I realize I've had the opportunity (and sometimes, the necessity) to use many, many different languages during my 48 years of programming. I used to find it empowering and instructive to try different programming paradigms and approaches, so I actively sought out new ones. As my workload and schedule have evolved over time, I have not really picked up many new ones. I’d like to learn Swift and Rust (for example) but I'll need to carve out the time and obtain a compiler, first.

For grins, I thought I'd make a list of programming languages where I wrote at least one non-trivial program, where "non-trivial" means that there were subroutines/functions/methods/etc. I may have left a few out, but... (you can find most of these documented on Wikipedia if you haven't run across them before).

80x86 assembler
6502 assembler
8080 assembler
abc
Ada
Algol 68
Algol W
APL
AppleScript
awk/sed
bash
Basic
bc
C (original and ANSI)
C++
Cobol
Common LISP
COMPASS
csh
dc
Eiffel
Emacs LISP
Euclid
flex/lex
Forth
Fortran 77
Fortran II
Fortran IV
html
Java
Javascript
JCL
ksh
LISP
M4
MATLAB
MIX
Modula 2
Modula 3
MS-DOS Batch
nroff/troff
Oberon
Pascal
Perl
PHP
PL/I
PL/M
Postscript
Pr1me assembler
Prolog
Python
Ratfor
RPG
sed
Simula
Smalltalk
SNOBOL
tcl/tk
TeX/LaTeX
VAX assembler

I also wrote one small program in Intercal, to prove to myself that I could. I never worked up the courage to tackle Malbolge.

I've also written and debugged patches in microcode on several machines, but I won't claim that I really mastered any of the associated languages.

There may be a few I left out plus dialect/version variations, but that is almost 60 languages as is. I'm sure there are people who have programmed in more; those of us who have been around for a while have needed to adapt.

I don't program very much anymore. I occasionally will whip up a ksh or Perl script, and very rarely, a C program. Those are sort of my default programming tools. If I needed to, I suppose a weekend or two with some language manuals would get me somewhat back up to speed with these others. Thankfully, no one has a pressing need for me to write code for anything, although I'm still pretty good at debugging (errors tend to be the same in any language). I have written four complete compilers and three full operating systems using some of these languages, including one each in assembly language. Thankfully, that is also not on my agenda to do again.

So when "kids these days..." complain about having to learn a 3rd programming language for class, well, I am amused.

Recent Blogs

Blog Archive

Posts in General

Page Content

It’s been 30 years—time to celebrate!

Prolog

COAST

Where are they now?

Recent Blogs

Blog Archive