Cracked Code

Eugene Spafford calls software companies to the carpet

Interview by Thomas Claburn

New Architect
March 2003

Dr. Eugene Spafford, a.k.a. Spaf, is a Professor of Computer Sciences at Purdue University. His research focuses primarily on information security, computer crime investigation, and information ethics. If you use a firewall, thank him—he brought the term to networking in 1990.

New Architect: Given the current state of security, what worries you the most these days?

Eugene Spafford: I'm not sure there's one thing I can pick out. We have so many vulnerabilities throughout the system—in the software that's deployed, in the development processes, in operations, in networks. With all the places we're using software, we have so few people who are appropriately trained in using the security tools that we have and in understanding how security really works. It's a massive problem.

NA: In your testimony before the House Science Committee, you talked about how information security data was often withheld by companies and governments because they consider it sensitive and proprietary. What should done to make that data available to those whose work might benefit from it?

ES: There are valid reasons why we would want to keep some of that information proprietary—because it does contain sensitive information. But unless we start sharing information [about security breaches] and understanding the magnitude of the problem, and have some real data balanced with some real applications, those of us trying to do research in academia and in industry aren't going to be able to build real solutions. So we have to come up with an attitude change—admitting to security problems should not necessarily be a mark of shame.