! The Wietse Venema Interview !

=> Introduction by Dan Farmer ;

"Wietse as I know him.  Well, I think he's one of the two top internet
security people (steve bellovin being the other, I'm not close); he's
*the* best security programmer in the world - he can actually write
correct, working, secure code that is nearly flawless.  That's pretty
amazing, and I've never seen it elsewhere.  One of the major revs to
the TCP wrappers actually shrank the code size while adding functionality,
which is almost unheard of in software (code bloat being a way of life
to most).  I suppose one of his biggest strengths is that he has some
idea of how good he is, but he also knows what he doesn't know.  He
never tries to BS anyone - he has real intellectual integrity.  Plus
he's fucking brilliant, of course.  It's a tremendous honor to work
with him"

=> Beginning of the interview ;

How old are you?

I was born in 1951. Right now I am 48 years old. However, age is
misleading. My involvement with computer security began only 10
years ago.

> How did you get interested in computers and especially computer security  ?

Two lives ago, when I was doing physics, computers were already
essential for running experiments and for the analysis of results.
At the time, PCs barely existed. The typical lab computer filled
a man-size rack.

In order to do my research I built some of my equipment and wrote
all of my software. I had a good reason to write robust programs,
because my experiments ran 24 hours a day for several weeks, and
I did not want to baby-sit my experiments all the time.  The software
had to behave reasonably under normal and abnormal conditions.

When I finished my Ph.D. research I found that all seats in physics
were taken for the next 20 years or so. I decided to leave physics
and to do something else.

I got involved with computer security 10 years ago when someone
repeatedly thrashed computer systems at my university. I did some
post-mortem analyses and wrote some network monitoring software
and slowly figured out what was going on.  Like everyone else who
deals with a similar situation for the first time I found that the
break-ins had nothing to do with black magic and that they had
everything to do with poor system administration practices.

> When was the first time you touched a computer? and what kind of
> computer was that?

That must have been a programmable HP calculator with X/Y pen
plotter when I was a student in 1973.  Those machines filled an
entire desk. Nowadays you get the calculator's functionality and
more in a hand-held machine.

> How many computers do you have at home? and what is your favorite
> operating system?

I have dozen or so at home, all except a few stacked up in racks.
Three machines contain real data.  The other machines are disposable.
There's several versions of FreeBSD, BSD/OS, OpenBSD, Solaris,
SunOS, and Linux. Each operating system is different. My mission
is to write software that works well on at last all those systems.

Regarding choice of system, no system is perfect. Until now I
prefer FreeBSD. However, differences are getting smaller, not
necessarily because software is getting better.

> How did tcp wrappers change your live?

It got me a lot of recognition. I managed to not mess it up too
badly over time, so people still love me for it.

> When was the first time you connected to the net?

I hooked up my home UNIX machine to email and USENET news in 1986.
This was before TCP/IP became available in Europe.  At the time,
a lot of data was sent over batch-mode dial-up UUCP connections.

> What programming language do you prefer?

I prefer to implement a dedicated little language for the problem,
so that I can express the solution in fewer words, and therefore
with fewer mistakes, than if I were to implement the solution
directly in a lower-level language such as C or PERL or whatever.
If the dedicated language is powerful enough, it can be used to
solve other problems than the one it was originally written for.

For example, the SATAN vulerability scanner uses several little
languages to implement the rule bases that drive its inference
engine. It is much easier to write a SATAN rule than to write the
equivalent PERL code.

The TCP Wrapper implements another little language. Its access
control language has ideas that I stole from the Prolog language
for logic programming. In the original design of the wrapper control
language, order of rules did not matter, just like the order of
statements does not matter in Prolog. This simplifies the use of
a language immensely.

I dislike the way that some object oriented languages are being
used. It can be true hell to find out exactly how a program works,
let alone to identify and eliminate vulnerabilities before release.
And languages such as C++ don't really improve that much over raw
C for expressing the *desired* behavior of software.

> How did you meet Dan Farmer?

Dan wrote COPS (the host-based security scanner). I wrote the TCP
Wrapper (network monitoring and access control). In 1992 Dan wrote
me email, asking if we could do something together. And so we did.

> Are you still working with him on a project now and then?

My main projects are part of our grand plan to write about all
aspects of computer security.  The forensics toolkit, to be released
July 2000, was built so that we could write about recovering from
a computer break-in.  The Postfix mailer, released December 1998,
was built so that we could write about programming.  There's a lot
of other material that still needs to be covered, so you can expect
to see more tools coming from us. I have no idea what will be next.
We usually write our software in a few months time.

> What security tools would you use to audit your network?

My brain, mostly. No kidding. When I do an audit I analyze systems
from the inside, which is also called a white box analysis. Once
I know where to poke I do some poking. My approach is complementary
to what is called black box attacks. Each approach has its purpose
and uses.

> Is there going to be a Forensics Class this year?

It is possible that Dan and I will give another one-time class on
some subject.  But there will be only one Forensics Class, just
like there was only one Security Auditing class a few years ago.

> Postfix is still an alternative for sendmail do you think this will ever
> change?

It's good that people have a choice of mailers. Sendmail is more
flexible than Postfix will ever be, or most other mailers, for that
matter.  And Sendmail isn't really going away, even when you install
a different mailer on your system.  Most UNIX-based MTAs have a
Sendmail compatible user interface, which I assure you can be a
royal pain to implement accurately.

> Who are the people you look up too?

I look up to the people who have to deal with real computer systems
that are used by real people. I did that for more than five years,
and I know it is hard work. If you do the job well no-one notices
what a great job you're doing because everything just works.

> How do you feel about al those insecure systems out these?

Well, it definitely is a problem. I can try to make my own computer
systems immune to some attacks, but that doesn't do me much good
when the rest of the world falls apart so that I can talk only to
myself.  There is a certain amount of self-interest for me in
sharing my software with other people.

> Do you think that lists like bugtraq should not be allowed for everyone
> to subscribe too? to prevent malicious use of the information exposed?

I could certainly miss some of the drivel on some of the mailing
lists, but that's not what you asked. My preference is that
vulnerabilities are not made public until a solution is available.
No responsible vendor or software author can afford to ignore the
issue - even CERT/CC releases a bulletin when it believes that a
vendor is uncooperative.

Disclosure before fix does not always work well.  On occasion I
had to release a placebo patch because there really was no
vulnerability.  However, the public wanted to see action and kept
sending me mail, so I released a placebo and everyone was happy.

> Any chance that we can see you this summer in the Netherlands?

I minimize travel. If I am away from home for a week I spend the
rest of the month in misery, catching up. I value my time.

For more info about Wietse Venema visit: