shift or die

security. photography. foobar.

Chaosradio International interview with Dan Kaminsky

I can greatly recommend the latest episode of Chaosradio International, an interview with Dan Kaminsky. I especially like the following quotes:

At about 16:42 into the Podcast:
Tim Pritlove: So are you ... are you considering ... are you ... well ... do you call yourself a hacker?
Dan Kaminsky: Absolutely.
Tim: Also in the US?
Dan [affirmative]: Hmmhmmm. No, ah, you know ...
Tim [laughs]: What's your experience with that?
Dan [laughs too]: I have had to explain it a couple of times. Look, you need hackers to fight hackers like you need soldiers to fight soldiers. You can't have someone on a battlefield being like: [incredulous] "What is going on? There are these pieces of metal and they are flying through the air and if they hit you, you start bleeding. Wow! Someone should have told me!". Hacker does not describe what side you are on. Hacker describes the fact that you know how the systems actually function. And you use that knowledge of how they actually function in your benefit. Now, there are good hackers and bad hackers, like there are soldiers who are on your side and there are enemy soldiers. That's just how it works.

Although I am normally not much for the military comparisons, Dan's theatrics are (as usual) just hilarious when he mimics the incredulous soldier on the battlefield.

At about 52:41 into the podcast:
Dan: I think it's too expensive to fix it all after the fact. The problem is, you end up with these endemic security flaws. And maybe you have a good security team and they find 75% of the issues. Maybe you have a really good security team and they find 90%. Maybe they are rockstar-expensive ninjas and they find 99%. You know what, you still got entire ... you're still having ... the attacker only needs to find one hole. And that's really a bottom line. And you can never find 99% with even the most amazing rockstar team 'cause there's just too much code.