Interview Hacker Journal 2009
Interview by Giovanni Federico. The Italian version of this is interview has been published in Hacker Journal 190 by WLF Publishing.
Giovanni Federico: Who is Michael Boelen?
Michael Boelen: My name is Michael Boelen, 27 years old and living in southern part of The Netherlands. I work for a Dutch consultancy company called Snow BV, which employs Unix specialists with networking, storage and security knowledge. Those latter two areas are currently part of my daily work at Philips, where I'm security officer. Beside work I read a lot of books for my study and fun as well. Most of the books are security related, which is probably not very surprising considering my job. After sitting at the desk all day I also like jogging and mountainbiking in my spare time.
GF: When and why your passion for computing and for issues related to open source and security start?
MB: Around the age of eight I had my first experience with a Commodore 64. At that time people started to buy the first personal computers, while I was playing games on my Commodore (like a real kid). When I was ten years old, I started to play with BASIC by copying code from source code books to create little games. These first steps in BASIC initiated my interest to continue programming. My first open source experience was when I was a student. We installed Linux and found out that it was a little bit 'different', after all those years being familiar with MS-DOS and Windows. At the same time I got interested in networking and security. This interest became only stronger in the years after.
GF: For Michael Boelen is it security a product or an ongoing process?
MB: In my opinion security is both. Security is a product when you reach some level of confidence that your precious data is safe. On the other hand it's a big ongoing process in which we all have to participate to keep that same data safe in the future. It can also be compared with a security product itself, like an IDS (Intrusion Detection System). In this case you will need to manage the device (=the process) to give the IDS its value and get a little bit safer again (=the product).
GF: How would you rate the it security market in the last ten years? From your point of view, companies invest more in security than in the past?
MB: Without a doubt the security market is increasing. There is still a shortage of well qualified security professionals, while the demand for them is getting higher. With several regulations and initiatives like SOx, HIPAA and PCI, more and more companies are required to comply with the defined rules. Also customers demand that companies treat their financial data and privacy with more respect than ever before. With the endless stream of media attention, companies will be more security aware and invest in their infrastructure, processes and people.
GF: What is the perception that the generic pc user has, in 2009, in the issues related to information security?
MB: Normal users were often ignorant about security and still are 2009. A part of these users does not know what an anti-virus suite is, why or how they should make a backup of their private data and when to avoid clicking on hyperlinks in e-mail. I can't even blame them, since the subject iss still new for the modern age we live in. Another issue is the underestimated value people assign to their private data. Everyone wants to keep their holiday photo's, but how many do actually make a regular backup? Hopefully in the upcoming 10 years security will be a common part of the computing world we live in, like internet is now for a lot of us.
GF: How Michael Boelen describes the figure of the modern �hacker�?
MB: For me the modern hacker is still the same enthousiastic guy (or girl), trying to find out how some specific piece of technical equipment works. In case we are talking about the blackhats, the definition has changed for me. Where before only the real clever people could break into something, now almost everyone can do that with the help of some powerful tools.
GF: It�s evident that the interest addressed by institutions and media to free software and the issues related to using open source software is increasing, how do you explain this phenomenon?
MB: Open source software is getting mature, has more powerful features and usually available at the best possible price for the user: for free. In these economic challenging times, companies face budget cuts and often have to look to alternatives of the existing commercial tools. Media attention is a big plus for open source software. I do think media attention and open source benefit eachother: by giving attention to such tools, people start to use them and in return people want to read more about it. After all some magazines were born to fulfill this demand, like several Linux related magazines.
GF: Today, see a linux-distro installed on a home-user pc is not surprising compared to some time ago. What�s the approach that you recommend to someone who�s approaching for the first time in the world of open source software?
MB: I would advice to take small steps and realize that you on a new teritory. Open source software exists in all different forms, but can have its challenges. On one side we have easy to use programs, well documented and big user base. On the other side we have software which is poorly documented and almost impossible to be installed. Be prepared to read the man(ual) pages, documentation or having to request some help on related forums. If you start working with open source software, take the time to ask yourself the question "What can this software do for me and what can I do to get the maximum out of it?". I think you can compare choosing (open source) software with buying a new car: it will always have a frame, an engine and four tires, but it's up to you to choose the looks and the color. Sometimes you will have to accept that you can't choose your favorite color. But in the end you will discover that there are a lot of nice tools, sometimes with features you won't even find in commercial tools.
GF: What�s lynis and what is the target to which it�s addressed? What were the reasons which motivated you to achieve a similar software?
MB: Lynis can be described as an auditing tool for Unix based systems. It does perform a system scan to find incorrect or weak system configurations. This includes default system files, common installed software but also missing security patches. Lynis can assist system administrators in hardening their systems, double checking their default installations and comparing systems against a predefined baseline. For security auditors the tool can provide information about how well systems are hardened and if basic configuration flaws have been prevented. The main reason for writing this tool was the lack of existing tools in this field. In my work I have to install, configure and audit systems. While searching for auditing tools I found that there aren't a lot of tools that can do generic system auditing. Another reason to create this tool is improving my knowledge of the many aspects Unix and open source software has to offer. Last but not least, developing an open source tool gives you the opportunity of being asked for an interview!
GF: In your website, we can see �phpips�: reading the description offered on the page we sense that this is a framework used to write web applications that offer some features like protection from xss and sql injection attacks. Could you tell us more? What are the differences between �phpips� and �mod_security�/�hardened-php� projects?
MB: That is correct. PHPIPS is a framework to block unexpected input and can be configured to filter and/or block data for every single page and field type (within HTML forms). The big difference at this moment is that PHPIPS is not available to the public yet, while the others are. These two projects you mentioned are mature projects and have their own specific strengths, while PHPIPS is just a simple framework.
GF: You are the author of one of the most used software for the analysis of unix systems when looking for rootkits and malicious software. We�re talking of �rootkit hunter�. With the introduction of selinux/grsecurity kernel patches, what do you think is the future for rkhunter?
MB: The future of Rootkit Hunter does not directly change due to these kernel patches, because they have their own purposes. One big difference for example is performing the analysis after a system break in, while both SELINUX and GRSECURITY try to avoid unauthorized instructions in the first place. This gives every tool new chances to prove itself in different scenarios. Rootkit Hunter has the strength for searching very specific types of malware, which can also be a weakness. For example, there is malware with the purpose to avoid detection (often until the next release), which also proves this type of software is part of the usual cat-and-mouse game. Personally I did notice the shift in malware attacks. SQL injections and programming flaw abuse seems have increased a lot in the last 7-8 years, while the number of rootkits in the wild I encountered decreased. As the original author of Rootkit Hunter I find it difficult to predict the future for this project. This is because the development nowadays is done by a team and my personal focus switched to Lynis. The second reason is that we will never know when some clever malware will suddenly show up. For now Rootkit Hunter fills a gap and will continue for at least some more years.
Last updated by Michael Boelen at 17 December 2009