• gallery_buildings_one
  • gallery_buildings_two
  • gallery_buildings_three
  • gallery_buildings_four
  • gallery_buildings_five
  • gallery_buildings_six

Anton Chuvakin – Stuck In the Lift With The Cynic

As part of my feeble attempts to lose weight I’ve been trying to cut down on my calorie intake, work out a bit and try to walk wherever I can. Unfortunately, walking up stairs stills gives me a near cardiac arrest so I’m still taking the lift.

Much to my surprise, I found myself stuck in a lift yet again. This time with the infamous Anton Chuvakin, the former director of PCI compliance solutions at Qualys.

Q: Tell me about your career and how you got to where you are today?

A: At the very beginning, my security career started with reading and later writing about security as well as experimenting with different systems, networks and of course security technologies on my own. I also helped as a Linux system administrator at an ISP, which required me to think about security pretty much every day (otherwise, the systems would be owned really soon since Linux of the mid-90s was certainly not the same as it is today)

But what really “started it all” and pretty much inspired my security career was one book: "Maximum Security" by Anonymous. I read it and fell ill with “secure-itis”: I just knew that I would do this for a living. And, no, I still don’t know who actually wrote the book.

Afterwards, I read a large number of security books, and, as you know, wrote and co-wrote a few of my own.

Q: Before I became an infosec professional I wanted to be:

A. A theoretical physicist, of course. Most Physics PhD give up physics nowadays, it seems. In fact, almost all of my graduate school classmates work either on Wall Street (yes, even now after the crisis) or in IT. Physics is an awesome mindset builder, which you can apply in many fields with humongous success. I never once regretted leaving the academia and plunging into the chaotic and sometimes perilous world of infosecurity.

Q: What was your first job ever?

AC: Selling enterprise software, believe it or not. I was part-timing as a distributor of some Russian accounting software package back when I went to University in Moscow.

Q: The best thing about being an infosec professional is:

A: You are never bored. Well, one can be bored doing one task if you do it for too long, but a quick glance at the “big picture” of security would definitely clear your boredom.

Q: The worst thing about being an infosec professional is:

A: You are never bored – somebody always is owning somebody (hopefully they are not owning you :-()

Q: The biggest misconception about infosec is:

A: I’ve heard people say all the security industry is here due to Microsoft writing bad code or due to early TCP/IP stack creators not baking security in, but such opinions are sorely wrong. No, people who use the technology is the reason why we are here doing security.

And that is why information security will never be truly “done” and will never go away into the sunset: people will always be screwing things up, both on purpose and by mistake.

Q: The next big thing in infosec is …

A. … something to do with cloud computing, but I think nobody really knows for sure.

Q: Are you more into engineering new solutions or you are rather an evangelist who speaks about the ideas of information security?

A: Definitely both! One friend said that I am one of the few people in the world who can switch from reading Gartner to reading packet headers in hex within a minute. Surely, it was an exaggeration, but there is some truth in this: I enjoy doing research, building new stuff as well as thinking, writing and evangelizing on security.

Q: The analogy I use most when describing infosec terms is:

A. The very lack of a clear analogy: infosec is not like insurance, not like warfare, not like police work, not like private detective work, not like audit, not even like risk management. Well, it is like all of them, but it cannot be explained by using only one of the above as an analogy.

Q. The weirdest security question I’ve ever been asked was:

A. “I got SSL – am I PCI compliant now?” Well, I guess you can say it is a “compliance question”, not a “security question”, but it is still pretty darn weird.