Question/Answer

Prepare for the Zombie Invasion By Rebecca Rule '76, '79G Also read the magazine print version of Question/Answer

Joshua Corman '98, an avid UNH hockey fan (is there any other kind?), doesn't get to many games. Formerly the principal security strategist for IBM Internet Security Systems, and now the Research Director for IT enterprise security at the 451 Group, he travels a lot, spreading the word about security risks. Network World named him one of the "Top Ten Tech People You Should Know." He lives in Dover, N.H., with his wife, Lisa, and daughters Kaylee and Cassandra.

Joshua Corman '98 (Photo by Erin Gleason, UNH Photographic Services)

Q: What's the story behind Cassandra's name?

A: In mythology, Cassandra had the gift of prophesy, but her curse was that no one believed her. It's a classic reference for people who are thinking a little farther down the road than most. If Cassandra's like her dad, she'll have to understand that tradeoff.

Q: You see the future, but no one believes you.

A: They're starting to. I'm often asked, "What's the biggest threat to national security?"

Q: You say?

A: My mother-in-law. Well, her computer, your computer, your kid's computer. The leper colony, I call them. My business customers have money to spend preventing attacks. They're doing an OK job. But no one cares about the leper colony. Many people don't even pay the $50 for fairly useless antivirus software. There are millions who can be infected with botnets.

Q: Botnets?

A: The bad guys hook all your computers together to create a botnet that works like one big computer—a new kind of malicious code. For 20 years, viruses were created for prestige, to be famous in underground hacking circles. The evolving threat of the three Ps—Prestige, Profit and Politics—started about five years ago. These attacks are more serious, sophisticated and well-funded. Your adversary is not a 14-year-old making a name for himself, it's organized crime.

Q: How can criminals profit from my computer?

A: When your computer's getting slower, they're using it to send spam or store illegal materials. One U.S. city ran out of space in their data center. They asked us to find out why. We found gigabytes of child porn. They're manipulating the stock market or launching a DDoS—Distributed Denial of Service Attack—that knocks off a power grid. Hackers targeted a Louisiana grid, took it offline and demanded ransom. These attacks are launched by thousands of connected computers—botnets.

Q: And the owners have no idea.

A: We're talking good and evil. There's so much innovation among the bad guys, we need to be innovative for the good guys. I show clients pictures of kids caught writing viruses beside pictures of Russian mafia caught doing profit-based attacks to show the evolution. Political attacks are even scarier. The nation of Estonia was taken off the Internet for two weeks. Estonia wanted to move some statues of Russian war heroes from one town square to another. In retaliation Russian "patriots" took Estonia off the Internet.

Q: During the ice storm we couldn't use phones, computers or buy gas in town and we freaked out.

A: As it was happening, I said, "If we don't get our act together on national security against cyber attacks, this could be a regular occurrence."

Q: You were a philosophy major? How does that figure in?

A: My communications skills—writing lots of papers—helps me be understood by audiences that a technology person could never reach, business people.

Q: What philosophies guide you?

A: Descartes said, essentially, I've been wrong about things, so maybe I'm wrong about everything. He wanted to tear down everything he thought he knew, then build it back with a more solid foundation of thought. I'm challenging what we thought was sound security, returning to basic principals and building something that's less costly, less complex and more effective. It's a rebirth of sorts. Philosophers try to solve ageless questions that are completely unsolvable, which is excellent practice for security, which is hard, hard stuff.

Q: Do you like sci-fi movies? Just wondering.

A: I like zombie movies. Botnets are sometimes called zombies. In zombie movies, there's a perimeter, just like in security. You have to keep the zombies from getting into the house.

Q: "Night of the Living Dead."

A: Exactly. Invariably they get through. We're not prepared for the zombie invasion. We talk about the digital Pearl Harbor. This is what keeps me up at night. The bad guys have outpaced the good guys. If they want to take down our power grids, they can. The Cassandras who are predicting a digital Pearl Harbor won't be listened to until it's too late. I warned of cyber attacks on U.S. military bases. Now we hear congressional testimony that bases have been hacked. For years, we've been playing checkers. We have to start playing chess. We have to anticipate or even dictate the moves of our adversaries.

Q: I have a Mac. Am I OK?

A: No. Last year there were more vulnerabilities in MacIntosh than in Windows.

Q: What question really annoys you?

A: "Which antivirus program should I buy?" It's like asking, "Of all these ineffective antivirus technologies, which is best?"

Q: And you answer?

A: They all stink, but free stinky is better than expensive stinky. Your Internet Service Provider may offer you free antivirus protection program already. If you need to buy one, see http://www.av-comparatives.org for the least stinky. If they press me for a consumer product, I'd say pick between Kaspersky, ESET/NOD32, or a free one like Microsoft or AVG. For corporate or government use, my answers differ: Sophos is doing smart things, but they don't sell to consumers. The real question is, when we keep paying for poor protection, what incentive will vendors have to make better protection?

Q: Facebook?

A: .... is horribly dangerous. My hairdresser says, "Hey Josh, I got this quiz on Facebook. Based on what you've told me, I didn't answer it. Aren't you proud of me?" They were questions like your first pet's name, the street you grew up on. These are security questions your bank would ask if there was a problem with your account or you forgot your password. People think social networks are fun, and they are. But they provide information to people who could attack you. I don't want people to be paranoid, but you should assume there's someone out to get you all the time. ~

Rebecca Rule '76, '79G is a humorist, essayist and author. Her most recent book is Live Free and Eat Pie: A Storyteller's Guide to New Hampshire.