Michal Zalewski on the Wireby Federico Biancuzzi
Recently the eccentric security researcher Michal Zalewski published his first book, entitled Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks. Because the book is everything except a security manual, Federico Biancuzzi chose to interview Michal and learn more about his curious approach to information security. Among other things, they discussed the need for randomness, how a hacker mind works, unconventional uses for search engines such as Google, and applying AI to security tools.
Could you introduce yourself?
Well, I am just a computer geek. I am a relatively young, self-taught enthusiast who is fairly proficient in the field of computer security, and simply enjoys playing with this stuff. Since the mid-'90s, I managed to contribute some probably worthwhile research to this area, as witnessed by a number of BUGTRAQ readers. I found and helped to solve a bunch of interesting security problems, and wrote a couple of well-received papers; I also developed several small but cool open source infosec utilities such as p0f, memfetch, Fenris, and fakebust.
Well, enough with blatant self-promotion. Curious readers can find more information about my work (and what else do I do in my free time) at lcamtuf.coredump.cx.
Silence on the Wire is a fairly unusual guide to the world of computer security. Unusual, because instead of taking the reader through the frequently repeated fundamentals, I tell a story of this field as witnessed by me when I first learned this stuff.
I show that security problems are inherent to the way we design systems, bound to just about any aspect of modern computing; and that only by understanding it can you follow and mitigate threats efficiently. Along the way, I focus on some of the more unusual, fascinating, and often arcane topics in a way that hopefully is both easy to follow and entertaining, even if you have no professional interest in security.
Who should read it? Well--if you just want to get a solid grasp of the basics, this book is not for you, at least not to accomplish this task. If you are a seasoned computer user or a developer, and want to learn to see the technology in a different way, I believe you should give SotW a try. If you are an infosec professional and want to learn more about the technology, and rediscover the fascinating world of computer mechanics, I hope you'd enjoy SotW, too.
In the first chapter, you write about the need for randomness, and how it's difficult to get truly random data from a machine built to behave deterministically. Could this necessity disappear with the growing resources that common people will have access to? For example, a blind spoofing attack could become more feasible with broadband access to the internet, and there are some countries where you can easily and cheaply get a 10Mbps or 100Mbps connection.
Computers need to be able to generate truly unpredictable numbers for various purposes--implementing cryptography is a prominent example. This is not going to change anytime soon.
When users have access to more and more bandwidth and computing power, they can more easily carry out brute-force attacks against protocols and algorithms. But this only means the need for strong cryptography, cryptographically secure ISN generation, and so forth is on the rise. And to get there, we need computers to be able to deliver high-quality, unpredictable entropy--more than ever.
Do you think that security concerns will require the adoption of a new version of TCP in the near future?
In my opinion, TCP has some shortcomings, and these are bound to become more and more of an issue in the near future, but I do not think we're going to reach a point where we must switch to something else that instant; there is no mystery failure threshold, but performance and security features within or kludges around the protocol are becoming less efficient as the surrounding technology advances.
In fact, even if we had to replace TCP on short notice, it would be next to impossible to carry out such an operation. Look at how we're moving toward IPv6 protocol suite--ho boy!