Gene Spafford

Biography

Gene Spafford, Ph.D., CISSP, is an internationally renowned scientist and educator who has been working in information security, policy, cybercrime, and software engineering for nearly two decades. He is a professor at Purdue University and is the director of CERIAS, the world's premier multidisciplinary academic center for information security and assurance. Professor Spafford and his students have pioneered a number of technologies and concepts well-known in security today, including the COPS and Tripwire tools, two-stage firewalls, and vulnerability databases. Spaf, as he is widely known, has achieved numerous professional honors recognizing his teaching, his research, and his professional service. These include being named a fellow of the AAAS, the ACM, and the IEEE; receiving the National Computer Systems Security Award; receiving the William Hugh Murray Medal of the NCISSE; election to the ISSA Hall of Fame; and receiving the Charles Murphy Award at Purdue. He was named a CISSP, honoris causa in 2000. In addition to over 100 technical reports and articles on his research, Spaf is also the coauthor of Web Security, Privacy, and Commerce, and was the consulting editor for Computer Crime: A Crimefighters Handbook (both from O'Reilly).

Books

Practical UNIX and Internet Security by Simson Garfinkel , Gene Spafford , Alan Schwartz Third Edition February 2003 Print: $54.95 (5) (Read Reviews)	Web Security, Privacy & Commerce by Simson Garfinkel Second Edition November 2001 Print: $44.95 (5) (Read Reviews)
Web Security and Commerce by Simson Garfinkel June 1997 OUT OF PRINT (5) (Read Reviews)	Practical UNIX and Internet Security by Simson Garfinkel , Gene Spafford Second Edition April 1996 OUT OF PRINT (4) (Read Reviews)
Practical UNIX Security by Simson Garfinkel , Gene Spafford January 1900 OUT OF PRINT

Articles

You need to enable JavaScript to view more than 15 articles by this author. Contagion: Why Our Dependency on Microsoft Makes Us Susceptible
Publish Date: May. 22, 2000The Internet has become a convenient source to blame for a virus outbreak. But that's like blaming the air we breathe when we catch a cold. Spafford argues that our reliance on a software "monoculture," defined by Microsoft, is what makes us vulnerable, making it easy for a single type of virus to be so effective.

Blog

Gene's blog posts are hosted at:
http://www.cerias.purdue.edu/site/blog/author/spaf/

The ACM Banquet

June 28 2009

Tonight (June 27) was the annual ACM Awards Banquet. This event is where various awards and recognitions are made, although most are announced well in advance. Among other things, this is when the Turing Award is officially given (this year, to Professor Barbara Liskov), and when the new class of… read more

On Cyber Czars and 60-day Reports

May 30 2009

Today, and Before On July 17, 2008, (then) Senator Barack Obama held a town hall meeting on national security at Purdue University. He and his panel covered issues of nuclear, biological and cyber security. (I blogged about the event here and here.) As part of his remarks at the event, Senator… read more

Solving the Wrong Problems

May 20 2009

In lieu of a new posting here, let me direct you to the June 2009 issue of Communications of the ACM, pages 22-24. That is an essay I wrote that echoes some of the themes of things I have posted here. I would be interested in your comments. read more

Cyber security challenges and windmills

March 30 2009

[Note: the following is primarily about U.S. Government policies, but I believe several points can be generalized to other countries.] I was editing a section of my website, when I ran across a link to a paper I had forgotten that I wrote. I'm unsure how many people actually saw it… read more

This time, the Senate

March 21 2009

On March 19, I had an opportunity to testify before the Senate Committee on on Commerce, Science, and Transportation. The hearing was entitled Cybersecurity – Assessing Our Vulnerabilities and Developing An Effective Defense. I was asked to include information on research problems, educational initiatives, and issues regarding the current state of… read more

Do we need a new Internet?

February 16 2009

Short answer: " Almost certainly, no." Longer answer: The blogosphere is abuzz with comments on John Markoff's Saturday NT Times piece, Do We Need a New Internet? John got some comments from me about the topic a few weeks back. Unfortunately, I don't think a new Internet will solve the problems we… read more

Unsecured Economies, and Overly-secured Reports

January 31 2009

The Report Over the last few months, CERIAS faculty members Jackie Rees and Karthik Kannan have been busy analyzing data collected from IT executives around the world, and have been interviewing a variety of experts in cybercrime and corporate strategy. The results of their labors were published yesterday by the McAfee… read more

A Modest Proposal

January 30 2009

Yesterday and today I was reading repeated news stories about the pending bailout—much of it intended to prop up companies with failed business models and incompetent management. Also distressing are the stories of extravagant bonuses for financial managers who are likely responsible for creating some of the same economic mess… read more

Customer (dis)service

January 11 2009

As our technology becomes more complex, it is often shipped with flaws and missing features. The evolution of the Internet coupled with a “must ship” attitude has led to a number of interesting business practices. One in particular, remote updates/patching, presents some interesting reliability issues. One of the best known versions… read more

E-voting rears its head. Again.

January 02 2009

Over the last few years, I have been involved in issues related to the use of computerization in voting. This has come about because of my concerns about computer security, privacy and reliability, and from my role as chair of the ACM U.S. Public Policy Committee (USACM). USACM has taken… read more

Follow-up on the CA Hack

December 31 2008

Yesterday, I posted a long entry on the recent news about how some researchers obtained a “rogue” certificate from one of the Internet Certificate Authorities. There are some points I missed in the original post that should be noted. The authors of the exploit have a very readable, interesting description… read more

A Serious Threat to Online Trust

December 30 2008

There are several news stories now appearing (e.g., Security News) about a serious flaw in how certificates used in online authentication are validated. Ed Felten gives a nice summary of how this affects online WWW site authentication in his Freedom to Tinker blog posting. Brian Krebs also has his usual… read more

Word documents being used in new attacks

December 18 2008

I have repeatedly pointed out (e.g., this post) to people that sending Word files as attachments is a bad idea. This has been used many, many times to circulate viruses, worms, and more. People continue to push back because (basically) it is convenient for them. How often have we heard… read more

Rethinking computing insanity, practice and research

December 16 2008

[tags]security, history, cyber security, CSIS, insanity, firewalls, IDS, viruses, research[/tags] [A portion of this essay appeared in the October 2008 issue of Information Security magazine. My thanks to Dave Farber for a conversation that spurred me to post this expanded version.] I’d like to repeat (portions of) a theme I have been… read more

Failures in the Supply Chain

November 16 2008

[This is dervied from a posting of mine to Dave Farber’s Interesting People list.] There is an article in the October Businessweek that describes the problem of counterfeit electronic components being purchased and used in critical Defense-related products. This is not a new threat. But first let’s reflect on the past. Historically, the… read more

Biography

Books

Articles

Blog

Buy Direct and Save