EC: The area that needs the most improvement is true risk analysis. Not a long drawn out 9-month effort but a short 2-3 week effort that identifies that highest risks to an organization and what needs to be done to fix it.
TB: In your opinion do users have the right to secure and hide information so that even our own government can’t access it?
EC: This is a hard question to answer. My initial response would be that if you are doing nothing wrong then you do have a right to secure and hide information, but if you are trying to do something wrong or harmful to others then you cannot. Intent is really the dividing line but the problem is that it is impossible to measure. The unfortunate reality is that one of our greatest freedoms in the USA is that we have the right to have private communications, even if it can be used against us by adverse groups.
TB: Do you think that steganography will become increasingly used by businesses? Do you think business should use steganography as a security tool?
EC: Yes, as time goes on I think more and more companies will use stego to protect their information. With a lot of technology there are both good and bad uses to it. In this case stego unfortunately has been quickly adopted by criminal elements and I think it will take a little longer for the legitimate uses to become popular.
TB: What do you think is most exciting about steganography currently and how do you see it developing in the future?
EC: One of the most exciting and challenging areas of stego is stego detection. Figuring out the weaknesses in an algorithm and using that information to build better systems in the future. The problem/challenge is that this is still in its infancy and has to grow into a more structured discipline like crypto.
TB: Niels Provos, considered by many to be one of the best in this field and whose tools you have included on your CD, has recently made his tools unavailable in the United States out of fear of the State Super-DMCA laws (mainly the Michigan law). Do you feel that the Federal or State DMCA laws interfere with legitimate security research? (See my article: Are You Breaking The Law?)
EC: Yes, I feel that the laws restrict research and will hurt us in the long run. The law was written by people that do not understand the value of research and was a knee jerk reaction to people doing things that they shouldn’t.
TB: Tim Mullen presented a concept of striking back at infected machines at the 2002 BlackHat conference and recently IRC operators created an anti-worm to automatically clean machines infected with the Fizzer worm without their permission. Do you think that the Internet community has the right to defend itself or is counter-hacking in the same ethical boat as the original attack? (See my article: Counter-Hacking: Savior or Vigilante?)
EC: Yes, you always have the right to defend yourself but there is passive and active defense. Passive defense is acceptable and if it was done more often this problem would be a lot better. Active defense where you attack back is very dangerous because of relays. You never really know who your real attacker is.
TB: I think people like to know what products are used by people who do Information Security for a living- what antivirus software and/or firewall software do you run on your personal computer?
EC: I run no security software or virus checking on my system because I think it is a waste of time. Only joking, I just wanted to make sure you're still awake. I use ZoneAlarm and V-secure but I also have multiple firewalls that my systems sit behind.
I'd like to thank Eric Cole for taking the time to answer my questions and share his thoughts and opinions.
