Keeping NT admins informed: a list-editor speaks

January 8, 2004

When Russ Cooper announced in the first quarter of 1997 that he would be starting a mailing list devoted to NT security, he probably didn't expect it to become one of the most reliable and sought after forums for admins who look after capricious Windows servers.

The announcement said: "It's not a "Pro-Microsoft" list, but it definitely is a "Pro-NT" list. Folks are coming here because they want to know about NT. They don't want to toss NT out of their sites, they want to make it work... If you want to really know and understand Windows NT Security issues, this is the place to come!"

That promise appears to have been fulfilled. Today the list, known as NTBugTraq, has over 30,000 subscribers and belongs to the biggest private IT security firm - which lets Cooper run it as he sees fit. Not bad for a person who, by his own admission, never finished high school!

Cooper's done a bit more than most IT types, including a sojourn in Liberia - where he would probably be even today, running a company called Xanadu Software, had it not been for the breakout of a civil war.

He was the honorary consul for his country, Canada, in the Liberian capital, Monrovia, but had to leave after waiting for an interminable period for the conflict to end.

Cooper returned to Canada and got on with life. He's taken on various IT roles since then.

He now participates regularly with Microsoft in product design review, alpha, beta and service pack testing. He has also been a technical editor or a reviewer for many books dealing with Windows security.

He was interviewed by email.

Is there any particular reason why you leaned towards a career in IT?

When I was a child I loved creating things. I was a good clarinetist, playing for the Queen of England when I was 10. I also thought I was a good artist. Unfortunately, I realised through my teens that my expertise wasn't in imagination. I could copy any drawing and play any sheet music. When I was 15 and went to a music camp (for which) you had to qualify to get in, I got a chance to be part of a jazz ensemble. At a point in the tune someone pointed at me for a solo. "Where's the music?" I cried.

I went into engineering drafting (draughting, you'd call it), having wanted to be an architect at one point. Very early in that career I got a chance to become part of a CAD group, working on Intergraph systems running off a VAX (1979). As I delved into the capabilities of the system I found FORTRAN. All of a sudden I found I could be creative, but in a "copy-like" fashion. I had to use the available constructs, but I could put them together any way I wanted. Voila! What I had been looking for all of my life, creativity with structure. From that point on I loved IT.

Some kind of brief background would be good...

Born 1959 East York, Ontario, Canada. Raised until 1967 in Laval, Quebec. Quit High School during grade 11, never finished. Worked in a men's wear store, then an employment agency for draftsman. Then because a loftsman (full scale template draftsman), blueprint boy, process piping draftsman, intermediate draftsman, junior designer, then the CAD job.

In 1982 I opened the first PC Computer store in Toronto - Scarborough Computers - as sales manager. Then to Atlantis Software (an Accounting Package) as Tech Support. Did install routines for 200+ different CPM machines and 450+ printers. Then on to Liberia, West Africa (1985) for 6 years. Too many things to talk about there, but amongst other things;

  • Created the 1st PC and Novell network-based banking system, checking, savings, G/L, international, etc... It also handled soft versus hard currencies (since Liberia's currency wasn't floatable)
  • became VP of Operations for Eurobank.
  • Installed my banking software in all banks that opened since 1985 - five different banking institutions.
  • Wrote the government's Central Bank software

I moved to London, England and became financial controller for a $US50m/month oil trading company - my office window overlooked Buckingham Palace's backyard.

I came back to Canada in 1990. Worked for Tandem Computers, created Canada's first Public Frame Relay network-based internal WAN. Created SHL (Systemhouse, now EDS) Canada's first internet and intranet practice.

Based on a request from Vint Cerf, I went to work for MCI. Worked on a J/V with British Telecom, Microsoft, and MCI to create a hosted Intranet service (never released, worked on it for 3 years).

In 1997, I created NTBugtraq and in 2000 sold myself to TruSecure Corporation (then ICSA.net) and became "Surgeon General of TruSecure Corporation".

Most people of your vintage (no insult meant!) tend to go the Unix way. Then why Windows?

My first PC was a Tandy that my Dad made. I worked on numerous CPM systems, then opened the PC store. Hence, we were selling systems to people who wanted to do accounting, job costing, or word processing. These were CPM systems, not Unix. When Windows was released, it was the logical direction to go... more small businesses liked the GUI. When I went to Liberia in 1985, I already had a very good relationship with Novell and Microsoft. Over there I pushed some limits in using the Netware development environment to make LANs do what mainframes had been doing, that just entrenched me further into Windows.

According to you, what qualities should a sysadmin have? And how many people have you come across in your 25 years who fit this profile at least to some extent?

A sysadmin needs to understand the business they work for, first and foremost. They need to understand what IT tasks are crucial to the success of their employer. Often that's contrary to what many IT people think of. They also need to have a firm grip on their environment, the confidence to use it, and the political ability to keep that grip.

I've met many sysadmins with these qualities to varying degrees. Maybe it's because I feel I can see potential in people who may not have realised it themselves yet.

How did you come to work in Liberia?

After Atlantis Software folded, I went out on my own doing custom programming. I wrote add-ons for the accounting package. One of my customers was a distributor of clones. He had customers in Liberia, including the only brewery and the only cement company. They had custom-written sales packages done in dBase. I went for a three-week contract to make some minor changes. I ended up completely rewriting the applications in Digital Research CB86 with BTrieve. Sold $190k new equipment and software, took the Liberian company from the Canadian guy, and the rest is history... ;-] My Liberia company was called Xanadu Software.

What convinced you that there was no point in staying on there?

Well, after waiting 8 months for a civil war to end, we finally decided it was time to go when houses around mine were being shelled. We walked three miles up the middle of the highway to get to the German Embassy (I was, at the time, Honorary Canadian Consul to the City of Monrovia). From there, we went in a 40-car convoy and traversed 60 miles in 24 hours. We were then airlifted out of Buchanan by US Marines, onto a Marine flotilla waiting off-shore. From there to Sierra Leone, and home to Canada.

Why did you decide to set up the NT-Bugtraq list?

Through 1994-96 I had been participating on the Firewalls@Greatcircle.com mailing list originally set up by Bill Cheswick. Frequently, there were questions about securing Microsoft Windows NT. The answers, from notable names, generally were wrong, or, very biased (i.e. "you shouldn't try that on NT, switch to Linux"). It got to the point where, because of my willingness to go head-to-head with big names telling them they were wrong, and providing the correct answer, they eventually called me the "unofficial Microsoft representative to the Firewalls list".

At the same time, Elias Levy was running Bugtraq (now owned by Symantec) and occasionally had a post about NT. Often, those posts contained incorrect information, and I'd end up correcting them too. ISS was running an NTSecurity list and I was a regular post there. That list became unmoderated at one point and list-loops and spam started going out to subscribers. I offered to ISS to take over the list, but we failed to come to some sort of agreement.

I decided I would start my own list. I checked with several people, including Elias, and they all agreed that a "Bugtraq-like" list dedicated to NT was a good idea.

What made you decide to sell the list?

Money! The year before I sold I made a failed attempt at getting seed money for a security portal. I realised I probably would never get such a business off the ground, so it made more sense to sell myself, and the list, to someone who could make a go of it. TruSecure was the best of all worlds, offering me a good job, decent money for the list, and the ability to maintain my position with respect to the list as its editor with the freedom to post whatever I want.

Judging from your mailing list posts, you appear to have some kind of love-hate relationship with Microsoft. Comment.

I think Microsoft has some of the best people in the world working for them. I also believe they have an environment that's very conducive to creating products that shape the world. However, every now and then it seems they get their foot stuck in the door and do some really dumb things. When that happens, I can't help but point it out to them, and the world.

There's also a personal component. Occasionally personal relationships result in my feeling they don't believe I can make a difference. When that happens, I usually look for something that will have an impact and write about it. Given that it's known I like the products and the company, my taking a critical stance against some aspect of what they do is taken more seriously than many other writers who are known not to like the company.

If you had a chance to replay your professional career would you choose differently? And whichever answer you give, why?

I suppose the only aspect of my career I regret is the 2 years I spent between '90 and '92 waiting to go back into Liberia. I believed the war would end and I would go back and pick up where I left off. Instead, I more or less wasted 2 years. I only had a couple of contracts during that time, and each was of a short duration. I could've used that time far more productively.

Has your choice of career affected you personally?

Well, as a workaholic, it's given me what I want, too much work. Unfortunately, that has also prevented me from having as much of a personal life as I would've liked. In 1996 when I moved up here to Lindsay it was a conscious effort to introduce more leisure into my life. Fishing, bird watching, and generally having nature to look at are all now important parts of my life. In 2000 I re-met my partner, Kim, whom I've known since I was 8. Work still strains our relationship from time to time, but it's getting better.

There's a common complaint from geeks that they can't get a date. Has IT affected your social life?

I guess I answered that above. The biggest complaint I have about my social life is that its very tough to find people to have interesting discussions with, apart from Kim. My retreat makes up for that somewhat. As a result, I tend to have my conversations with people on-line, hence I'm at the computer a lot, hence less social life.

What do you think about a security company owning a security mailing list? Does it not represent a conflict of interest?

I can't speak for other companies or lists, but certainly not in our case. I run the list, I decided what gets posted and what is rejected. TruSecure makes no attempt to influence this. The list is a great source of information to the company, so they get a tangible benefit.

What do you feel about the posting of proof of concept code to a mailing list?

It depends. If the code is incomplete, then I feel it's OK. If it's a complete attack, then it's not good. Proving a concept doesn't take a working exploit, at least not if you're simply trying to prove you've found what you say you have. People who write complete PoC and post it are trying to show off, get attention, or generally be malicious, IMO.

Responsible disclosure - corporations have one meaning for it and individuals an entirely different one. What would you class as a good middle road?

There's only one meaning for the term, "being responsible about what you disclose, how you do it, and to whom." The problem has been that companies think individuals are working for them when they discover things. They aren't, for the most part, and unless the company is prepared to compensate them for the work, the company needs to alter its expectations.

Individuals, on the other hand, need to take more responsibility for what they publish. Disclaimers on vulnerability notices are not, IMO, reasonable. You can't explain how to break into a system and then claim you're not responsible for someone doing so. You are, to some extent, and that needs to be better understood.

What do you think about the idea that software vendors should be made to take responsibility for the flaws in their software?

I think the breakseal warranty is a bad idea, and needs to be abolished. Software, today, is like most any other products, and flaws in it do have real ramifications. Companies need some way to recover the losses they are spending today in order to rectify problems due to software flaws. If vendors took the responsibility they should, there'd be fewer flaws. Granted, we'd also have fewer products and features, but at this point in time, I don't think that would be a bad thing. We need to consolidate, get adoption by the user community, and make some profits right now.