The world’s first computer doc has a security prescription

The man who wrote the original anti-virus program tells Paul Rodgers he wants to make data safer

Where Sergey Brin and Mark Zuckerberg have made geekdom funky, Peter Tippett is a bit of a throwback. He has on a grey suit with a conservative blue tie when we meet; his hair would please a marine drill sergeant and he wears wire-frame glasses that are almost as unstylish as (though undoubtedly more expensive than) mine.

But in his own fashion, Tippett has been just as revolutionary as the founders of Google and Facebook. Long before the internet took off, in the days when software spread from one machine to another on 5 1/4-inch floppy disks, Tippett wrote the world’s first anti-virus program, called Vaccine – at the same time inventing, almost as an afterthought, the undo command (control Z in many applications) and the restore disk. He also built not one but two big security companies, the first evolving into the business now known as Norton.

Along the way, he developed a security philosophy that is so full of common sense, yet so defies commercial imperatives, that one can only conclude that the buying public is mad. “This is how we’ve done security in the real world for ever,” says Tippett, leaning forward to make his point with an enthusiasm that belies his dour dress sense. “Why people don’t want it on their computers is beyond me.”

Most people consider themselves lucky to have a single career. Tippett has qualified for six. For starters he’s a pilot, licensed to fly jumbo jets loaded with passengers across oceans. “I’ve been flying since I was 15,” he says. “It’s my hobby.” He also has a PhD in biochemistry from Case Western Reserve University in Cleveland, and a commercial radio engineer certificate. Plus he’s a medical doctor, which led, circuitously, to his jobs as entrepreneur and security guru.

“For 32 years I’d had no income,” he says. “When I got my first job as a doctor I didn’t know what to do with the money, so I hired four guys and put them to work writing programs in my living room.”

That was shortly before the first computer virus was developed by Frederick Cohen at Lehigh University in Pennsylvania in 1983. Tippett and his chief programmer met a Lehigh student at a trade show in California and got a copy of the virus from him. “Writing Vaccine took us five weeks, including the manual and the sales brochure,” says Tippett.

Yet when McAfee came along three years later with its own anti-virus suite, it quickly ate into Vaccine’s still-small sales. The two programmes worked with philosophies that were diametrically opposed. Vaccine checked that the software on your machine was approved and hadn’t been tampered with. Anything else it considered to be a threat, an approach known in the jargon as “default denial”. McAfee’s program allowed any bit of code as long as it wasn’t on its list of known viruses, an approach called “default permit”. When a new bit of malicious programming emerged, McAfee had to get a copy, write a bespoke response, and distribute it to customers. “It’s like putting a big sign outside your house inviting everyone in to root through your stuff as long as they’re not convicted criminals,” says Tippett in his slightly nasal Michigan accent. “It’s not what we do in the real world.”

The story reminds me of the superiority of Betamax over VHS in the late 1970s, and of Apple over Microsoft a decade later. So why didn’t buyers go for the better product in this case? “What people wanted from an anti-virus program,” says Tippett, “was the ‘scan’ function.” They wanted to be reassured that every line of code had been checked.

For now, at least, the battle has been lost. Like McAfee, Norton works on a “default permit” philosophy these days. And Tippett has moved on. By the start of the 1990s he was an acknowledged expert on information security, and advised the US Joint Chiefs of Staff on cyber warfare during Desert Storm in Iraq. He sold his company to Symantec in 1992, though he stayed on to help them for more than two years. “I left after they decided they didn’t want me to be chief executive,” he says candidly, adding: “I don’t hate them; they bought me a jet plane.” A little one, he adds.

Tippett made his second fortune building Cybertrust, a company that would eventually become the Virginia-based security arm of Verizon, the world’s largest internet service provider, where it does, among other things, the lion’s share of the forensic work after hackers break into corporate and government databases. And its a Verizon report on this work, in its own way as iconoclastic as Vaccine, that he’s here to talk about.

“Computers are at the same point in the growth cycle as airlines were at the time of the DC3,” he says. “Back then we could fly to France, but we’re 5,000 times less likely to die doing it today. How did we make airlines so safe?” The answer, he says, is rigorous scientific investigation of every case where the system fails.

Admitting that corporate firewalls have been breached and sensitive customer data, often financial data, have been stolen is bad for business, he says, so only a third of cases are reported publicly, usually because its a legal requirement. Verizon, however, investigates 90 per cent of such cases around the world, putting it in a unique position to analyse who the hackers are and how they work. The results contradict many popular myths in the information security world.

It is widely thought, for example, that most hacks start with an insider. But Verizon’s stats show that only 11 per cent of cases are down to employees acting alone, while in another 9 per cent outsiders are helped inadvertently by an employee’s actions. Seventy-four per cent of hacks involve outsiders, says Tippett. And those outsiders were far more effective thieves, stealing 99.9 per cent of the records. The remaining cases are initiated by people from partner organisations, such as suppliers, with access to the target’s computer network.

The hackers are also unlikely to work for state organisations – the popular KGB scenario. While there’s no evidence of governments backing hackers, plenty of it points to known organised crime gangs.

Tippett also pours cold water on some of his industry’s favourite remedies, such as encrypting every piece of data, applying security patches immediately, or using long passwords. Most uses of encryption won’t stop hacking, he says – though it might be helpful on easily stolen laptops – few cases of data theft involved recently discovered vulnerabilities in the system and when thousands of user names are being attacked, an eight-digit code is only slightly more secure than one five digits long. The bigger risk is that passwords will be left on the default settings, such as “admin” or “password”, especially on servers.

What’s needed, he says, are layered defences, each catching most, though not all, attempts at invasion. “The number one thing to do,” he says. “is a lot of little things.”

Travel
travel
News
Tim Vine has won the funniest joke award at the Edinburgh Festival 2014
peopleTim Vine, winner of the Funniest Joke of the Fringe award, has nigh-on 200 in his act. So how are they conceived?
Sport
sportBesiktas 0 Arsenal 0: Champions League qualifying first-leg match ends in stalemate in Istanbul
News
Jamie and Emily Pharro discovering their friend's prank
video
PROMOTED VIDEO
News
ebooksAn evocation of the conflict through the eyes of those who lived through it
Sport
Manchester United are believed to have made a £15m bid for Marcos Rojo
sportWinger Nani returns to Lisbon for a season-long loan as part of deal
News
news
News
i100
Arts and Entertainment
O'Toole as Cornelius Gallus in ‘Katherine of Alexandria’
filmSadly though, the Lawrence of Arabia star is not around to lend his own critique
Life and Style
fashion
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

iJobs Job Widget
iJobs Money & Business

Quantitative Developer

£700 per day: Harrington Starr: Quantitative Developer C++, Python, STL, R, PD...

Web developer (C#, MVC4, HTML5, CSS3, Javascript, Jquery)

£30000 - £44000 per annum + Bonus+Benefits+Package: Harrington Starr: Web deve...

Senior Automation QA Engineer (Java, Selenium WebDriver, Agile)

£40000 - £65000 per annum + benefits+bonus+package: Harrington Starr: Senior A...

Web developer (C#.NET, ASP.NET, MVC3/4, HTML5, CSS3, JAVASCRIPT

£35000 - £45000 per annum + benefits+bonus+package: Harrington Starr: Web deve...

Day In a Page

Ferguson: In the heartlands of America, a descent into madness

A descent into madness in America's heartlands

David Usborne arrived in Ferguson, Missouri to be greeted by a scene more redolent of Gaza and Afghanistan
BBC’s filming of raid at Sir Cliff’s home ‘may be result of corruption’

BBC faces corruption allegation over its Sir Cliff police raid coverage

Reporter’s relationship with police under scrutiny as DG is summoned by MPs to explain extensive live broadcast of swoop on singer’s home
Lauded therapist Harley Mille still in limbo as battle to stay in Britain drags on

Lauded therapist still in limbo as battle to stay in Britain drags on

Australian Harley Miller is as frustrated by court delays as she is with the idiosyncrasies of immigration law
Lewis Fry Richardson's weather forecasts changed the world. But could his predictions of war do the same?

Lewis Fry Richardson's weather forecasts changed the world...

But could his predictions of war do the same?
Kate Bush asks fans not to take photos at her London gigs: 'I want to have contact with the audience, not iPhones'

'I want to have contact with the audience, not iPhones'

Kate Bush asks fans not to take photos at her London gigs
Under-35s have rated gardening in their top five favourite leisure activities, but why?

Young at hort

Under-35s have rated gardening in their top five favourite leisure activities. But why are so many people are swapping sweaty clubs for leafy shrubs?
Tim Vine, winner of the Funniest Joke of the Fringe award: 'making a quip as funny as possible is an art'

Beyond a joke

Tim Vine, winner of the Funniest Joke of the Fringe award, has nigh-on 200 in his act. So how are they conceived?
The late Peter O'Toole shines in 'Katherine of Alexandria' despite illness

The late Peter O'Toole shines in 'Katherine of Alexandria' despite illness

Sadly though, the Lawrence of Arabia star is not around to lend his own critique
Wicken Fen in Cambridgeshire: The joy of camping in a wetland nature reserve and sleeping under the stars

A wild night out

Wicken Fen in Cambridgeshire offers a rare chance to camp in a wetland nature reserve
Comic Sans for Cancer exhibition: It’s the font that’s openly ridiculed for its jaunty style, but figures of fun have their fans

Comic Sans for Cancer exhibition

It’s the font that’s openly ridiculed for its jaunty style, but figures of fun have their fans
Besiktas vs Arsenal: Five things we learnt from the Champions League first-leg tie

Besiktas vs Arsenal

Five things we learnt from the Champions League first-leg tie
Rory McIlroy a smash hit on the US talk show circuit

Rory McIlroy a smash hit on the US talk show circuit

As the Northern Irishman prepares for the Barclays, he finds time to appear on TV in the States, where he’s now such a global superstar that he needs no introduction
Boy racer Max Verstappen stays relaxed over step up to Formula One

Boy racer Max Verstappen stays relaxed over step up to F1

The 16-year-old will become the sport’s youngest-ever driver when he makes his debut for Toro Rosso next season
Fear brings the enemies of Isis together at last

Fear brings the enemies of Isis together at last

But belated attempts to unite will be to no avail if the Sunni caliphate remains strong in Syria, says Patrick Cockburn
Charlie Gilmour: 'I wondered if I would end up killing myself in jail'

Charlie Gilmour: 'I wondered if I'd end up killing myself in jail'

Following last week's report on prison suicides, the former inmate asks how much progress we have made in the 50 years since the abolition of capital punishment