Thought Leaders

Interview with Charles Edge

Stephen Northcutt - September 15th, 2007

How did you first get interested in information security?

It seems like I've been interested in security since I started playing with computers. It was always about trying to push the limits of what could be done. As I moved through the various phases of an IT career my interest just grew. At the University of Georgia and then in enterprise environments that I worked at when I first got out of school there was a lot of infrastructure being built out, but not a lot of interest in security. This is about the time that I found Def Con, 2600 and Black Hat, and became part of that community. Once I got a little involved in those the interest seemed to grow exponentially. Then, when I got involved in networking Macs in the Entertainment Industry, these interests came together. Now I see the hacker community somewhat of a protector, finding flaws so they aren't discovered by people with bad intentions and helping to make systems more secure for everyone.

Did you always work with Macs, what is the story there?

I started out programming Basic and Pascal on the Apple II. I stayed loyal to the Mac up until I got out of college when I went to work for the (then) Big 6. At that time there weren't many Macs in enterprise environments so I switched over to a Microsoft/Unix guy. Once I moved to LA, I started to work with the Entertainment Industry, which is predominantly Mac. Back then it was mostly OS 7 and 8 but my Unix skills came in handy during the switch to OS X from OS 9. As OS X gained more and more of a foothold and Apple began to adhere to networking standards, the skills from my past and present really started to come together. I am fortunate that I happened to be at the right place at the right time and be able to stand on the shoulders of some of the real giants in enterprise environments and at Apple, where there is never a shortage of great talent.

A lot of people tell me Macs cannot be hacked, is that true?

No system is perfectly secure out of the box. Passwords can be brute forced, there are some vulnerabilities in services that listen on the network and with all of the pieces that make up the puzzle of the OS, there are always ways to get into almost any system provided one has the patience and manages to go unnoticed. This is no different with a Mac. However, with some tuning and user education, the OS becomes much more secure.

The core OS is pretty safe. But like most *nix flavors it relies on a patchwork of open source software. As new versions of these packages become available Apple isn't always quick to integrate. These 3rd party packages are more commonly vulnerable than OS X itself. If you take packages like Apache, Samba and LDAP they can be made really secure, but it often takes a lot of experience with the package itself to harden each one appropriately.

Wow! What then are the top three security issues for a Mac that a regular user would need to be aware of?

One never wants to be alarmist, but there are some things to look out for. The top 3 that I continually run into:

1. Defaults. The default preference settings leave a Mac a little vulnerable. Go through them, and pay special attention to anything on your system that is listening on any port. By default the firewall is not enabled, but use the built-in firewall at a minimum or a third party firewall (or even better learn how to use ipfw). The built-in rule set just doesn't cover everything that needs to be covered, just as many of the other defaults on a Mac need a little refinement.
2. Use Anti-Virus. Yes, it's true that there are no "viruses" in the wild for the Mac. But that doesn't mean that there aren't worms, trojans and other critters out there that will get caught by a decen Anti-Virus package.
3. Passwords. There are still a lot of Mac environments that are open to the Internet without good passwords.

What about an enterprise that uses Macs?

The Mac is a funny fit in the enterprise. Apple has stated repeatedly that they "are not an Enterprise company." However, they continue to gain ground in the enterprise space. They are now fully POSIX compliant, which helps but there are still some peculiarities, such as the way that imaging and policy management is handled. This leads to a lot of opportunity for those of us with both Mac and enterprise experience. Apple is making strides with Active Directory integration, common criteria tools and better documentation and adherence to best practices, but there is still a lot of work to be done by integrators to find the specifics of how to integrate the Macs into their environment, which we cover in this course.

For those really interested in how the Mac fits into the enterprise, there is a great web site called MacEnterprise.org they should check out.

I just got an iPhone is there something I should be aware of related to iPhone security?

Like any new platform, there are bugs that are going to need to be worked out. Black Hat 2007 proved that for the iPhone. The iPhone is a popular device and will have a lot of people that want to develop exploits for it to get "street cred." The interesting thing to see will be how quickly Apple will respond to flaws that are discovered and release patches.

You are an accomplished writer on OS X, what got you started writing, what projects are you considering for the future

I always wanted to be a writer growing up. But my career took me into IT consulting because that's what I ended up being good at. I read a lot of books coming up through the ranks and got to the point where I was starting to think about what was next in my career. My buddy Bard Williams had written a slew of books and helped to make writing seem more accessible. So, I sat down and wrote my first book. Once it was finished I started shopping it around to publishers and it happened to get picked up. After that, inertia took over. The fusion of writing and technology seemed like a perfect fit for me.

Once I'm finished with the Mac OS X Security book for Leopard I will be updating my OS X Server book to Leopard and then doing an Advanced OS X Server book. I'm also in negotiations to do a Windows Server 2008 book, which would be really fun considering all the new scripting features of Windows.

You have just finished a course for SANS, can you tell us a bit about that?

I was involved in writing the OS X Security Checklist for SANS and we noticed there was a lack of good security information and training for the platform. The SANS course is meant to help Mac System Administrators and Security Specialists looking to get involved with the Mac platform. We start off by taking a look at all of the defaults for OS X and then go into a review of each of the packages that Apple includes. We also cover Intrusion Detection, forensics and other security areas that aren't offered for the Mac anywhere else.

It's been a lot of work but I'm happy with the quality of the course!

When will you first run it?

Dry runs for the SANS course, Security 539 Mac OS X Security Fundamentals, should be in November. Once the results from the dry runs come in we will be ready to start offering it to the public.

Who is your target audience, who should attend?

I really had two audiences in mind while writing this course. The first was the Mac System Administrators. These are people charged with managing Mac systems for schools and companies who need an introduction to security with an emphasis on their operating system. The second audience is the general security community. System auditors, pen testers and security staff who are looking to get acquainted with the Mac. These two groups are often at more odds than you would think at larger organizations. I'm really hoping to use this course to help bridge the two.

Can you tell us just a bit about yourself, what do you do when you are not in front of a computer?

I just hung up my surf board and moved from Los Angeles to Minneapolis, Minnesota. Now that I'm settled in I hope to start a family with my wife Lisa, continue to grow 318, get some exposure to cross-country skiing and catch plenty of Vikings games!