The world’s first computer doc has a security prescription

The man who wrote the original anti-virus program tells Paul Rodgers he wants to make data safer

Where Sergey Brin and Mark Zuckerberg have made geekdom funky, Peter Tippett is a bit of a throwback. He has on a grey suit with a conservative blue tie when we meet; his hair would please a marine drill sergeant and he wears wire-frame glasses that are almost as unstylish as (though undoubtedly more expensive than) mine.

But in his own fashion, Tippett has been just as revolutionary as the founders of Google and Facebook. Long before the internet took off, in the days when software spread from one machine to another on 5 1/4-inch floppy disks, Tippett wrote the world’s first anti-virus program, called Vaccine – at the same time inventing, almost as an afterthought, the undo command (control Z in many applications) and the restore disk. He also built not one but two big security companies, the first evolving into the business now known as Norton.

Along the way, he developed a security philosophy that is so full of common sense, yet so defies commercial imperatives, that one can only conclude that the buying public is mad. “This is how we’ve done security in the real world for ever,” says Tippett, leaning forward to make his point with an enthusiasm that belies his dour dress sense. “Why people don’t want it on their computers is beyond me.”

Most people consider themselves lucky to have a single career. Tippett has qualified for six. For starters he’s a pilot, licensed to fly jumbo jets loaded with passengers across oceans. “I’ve been flying since I was 15,” he says. “It’s my hobby.” He also has a PhD in biochemistry from Case Western Reserve University in Cleveland, and a commercial radio engineer certificate. Plus he’s a medical doctor, which led, circuitously, to his jobs as entrepreneur and security guru.

“For 32 years I’d had no income,” he says. “When I got my first job as a doctor I didn’t know what to do with the money, so I hired four guys and put them to work writing programs in my living room.”

That was shortly before the first computer virus was developed by Frederick Cohen at Lehigh University in Pennsylvania in 1983. Tippett and his chief programmer met a Lehigh student at a trade show in California and got a copy of the virus from him. “Writing Vaccine took us five weeks, including the manual and the sales brochure,” says Tippett.

Yet when McAfee came along three years later with its own anti-virus suite, it quickly ate into Vaccine’s still-small sales. The two programmes worked with philosophies that were diametrically opposed. Vaccine checked that the software on your machine was approved and hadn’t been tampered with. Anything else it considered to be a threat, an approach known in the jargon as “default denial”. McAfee’s program allowed any bit of code as long as it wasn’t on its list of known viruses, an approach called “default permit”. When a new bit of malicious programming emerged, McAfee had to get a copy, write a bespoke response, and distribute it to customers. “It’s like putting a big sign outside your house inviting everyone in to root through your stuff as long as they’re not convicted criminals,” says Tippett in his slightly nasal Michigan accent. “It’s not what we do in the real world.”

The story reminds me of the superiority of Betamax over VHS in the late 1970s, and of Apple over Microsoft a decade later. So why didn’t buyers go for the better product in this case? “What people wanted from an anti-virus program,” says Tippett, “was the ‘scan’ function.” They wanted to be reassured that every line of code had been checked.

For now, at least, the battle has been lost. Like McAfee, Norton works on a “default permit” philosophy these days. And Tippett has moved on. By the start of the 1990s he was an acknowledged expert on information security, and advised the US Joint Chiefs of Staff on cyber warfare during Desert Storm in Iraq. He sold his company to Symantec in 1992, though he stayed on to help them for more than two years. “I left after they decided they didn’t want me to be chief executive,” he says candidly, adding: “I don’t hate them; they bought me a jet plane.” A little one, he adds.

Tippett made his second fortune building Cybertrust, a company that would eventually become the Virginia-based security arm of Verizon, the world’s largest internet service provider, where it does, among other things, the lion’s share of the forensic work after hackers break into corporate and government databases. And its a Verizon report on this work, in its own way as iconoclastic as Vaccine, that he’s here to talk about.

“Computers are at the same point in the growth cycle as airlines were at the time of the DC3,” he says. “Back then we could fly to France, but we’re 5,000 times less likely to die doing it today. How did we make airlines so safe?” The answer, he says, is rigorous scientific investigation of every case where the system fails.

Admitting that corporate firewalls have been breached and sensitive customer data, often financial data, have been stolen is bad for business, he says, so only a third of cases are reported publicly, usually because its a legal requirement. Verizon, however, investigates 90 per cent of such cases around the world, putting it in a unique position to analyse who the hackers are and how they work. The results contradict many popular myths in the information security world.

It is widely thought, for example, that most hacks start with an insider. But Verizon’s stats show that only 11 per cent of cases are down to employees acting alone, while in another 9 per cent outsiders are helped inadvertently by an employee’s actions. Seventy-four per cent of hacks involve outsiders, says Tippett. And those outsiders were far more effective thieves, stealing 99.9 per cent of the records. The remaining cases are initiated by people from partner organisations, such as suppliers, with access to the target’s computer network.

The hackers are also unlikely to work for state organisations – the popular KGB scenario. While there’s no evidence of governments backing hackers, plenty of it points to known organised crime gangs.

Tippett also pours cold water on some of his industry’s favourite remedies, such as encrypting every piece of data, applying security patches immediately, or using long passwords. Most uses of encryption won’t stop hacking, he says – though it might be helpful on easily stolen laptops – few cases of data theft involved recently discovered vulnerabilities in the system and when thousands of user names are being attacked, an eight-digit code is only slightly more secure than one five digits long. The bigger risk is that passwords will be left on the default settings, such as “admin” or “password”, especially on servers.

What’s needed, he says, are layered defences, each catching most, though not all, attempts at invasion. “The number one thing to do,” he says. “is a lot of little things.”

Start your day with The Independent, sign up for daily news emails
PROMOTED VIDEO
ebooks
ebooksA special investigation by Andy McSmith
Arts and Entertainment
Caroline Proust as Captain Laure Berthaud in 'Spiral'
tvReview: Gritty, engaging and well-acted - it’s a wonder France’s biggest TV export isn’t broadcast on a more mainstream channel
Arts and Entertainment
music
Arts and Entertainment
Laura Carmichael in still from Madam Bovary trailer
film
News
i100
Sport
Serena Williams holds the Australian Open title
sportAustralia Open 2015 final report
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

iJobs Job Widget
iJobs Money & Business

Recruitment Genius: Software Development Manager

£40000 - £50000 per annum: Recruitment Genius: This is an exciting opportunity...

Ashdown Group: Product Manager - (Product Marketing, Financial Services)

£30000 - £35000 per annum + Benefits: Ashdown Group: Marketing Manager - Marke...

Recruitment Genius: Compliance Assistant

£13000 per annum: Recruitment Genius: This Pension Specialist was established ...

Ashdown Group: Market Research Executive

£23000 - £26000 per annum + Benefits: Ashdown Group: Market Research Executive...

Day In a Page

Michael Calvin: Time for Old Firm to put aside bigotry and forge new links

Michael Calvin's Last Word

Time for Old Firm to put aside bigotry and forge new links
Isis hostage crisis: The prisoner swap has only one purpose for the militants - recognition its Islamic State exists and that foreign nations acknowledge its power

Isis hostage crisis

The prisoner swap has only one purpose for the militants - recognition its Islamic State exists and that foreign nations acknowledge its power, says Robert Fisk
Missing salvage expert who found $50m of sunken treasure before disappearing, tracked down at last

The runaway buccaneers and the ship full of gold

Salvage expert Tommy Thompson found sunken treasure worth millions. Then he vanished... until now
Homeless Veterans appeal: ‘If you’re hard on the world you are hard on yourself’

Homeless Veterans appeal: ‘If you’re hard on the world you are hard on yourself’

Maverick artist Grayson Perry backs our campaign
Assisted Dying Bill: I want to be able to decide about my own death - I want to have control of my life

Assisted Dying Bill: 'I want control of my life'

This week the Assisted Dying Bill is debated in the Lords. Virginia Ironside, who has already made plans for her own self-deliverance, argues that it's time we allowed people a humane, compassionate death
Move over, kale - cabbage is the new rising star

Cabbage is king again

Sophie Morris banishes thoughts of soggy school dinners and turns over a new leaf
11 best winter skin treats

Give your moisturiser a helping hand: 11 best winter skin treats

Get an extra boost of nourishment from one of these hard-working products
Paul Scholes column: The more Jose Mourinho attempts to influence match officials, the more they are likely to ignore him

Paul Scholes column

The more Jose Mourinho attempts to influence match officials, the more they are likely to ignore him
Frank Warren column: No cigar, but pots of money: here come the Cubans

Frank Warren's Ringside

No cigar, but pots of money: here come the Cubans
Isis hostage crisis: Militant group stands strong as its numerous enemies fail to find a common plan to defeat it

Isis stands strong as its numerous enemies fail to find a common plan to defeat it

The jihadis are being squeezed militarily and economically, but there is no sign of an implosion, says Patrick Cockburn
Virtual reality thrusts viewers into the frontline of global events - and puts film-goers at the heart of the action

Virtual reality: Seeing is believing

Virtual reality thrusts viewers into the frontline of global events - and puts film-goers at the heart of the action
Homeless Veterans appeal: MP says Coalition ‘not doing enough’

Homeless Veterans appeal

MP says Coalition ‘not doing enough’ to help
Larry David, Steve Coogan and other comedians share stories of depression in new documentary

Comedians share stories of depression

The director of the new documentary, Kevin Pollak, tells Jessica Barrett how he got them to talk
Has The Archers lost the plot with it's spicy storylines?

Has The Archers lost the plot?

A growing number of listeners are voicing their discontent over the rural soap's spicy storylines; so loudly that even the BBC's director-general seems worried, says Simon Kelner
English Heritage adds 14 post-war office buildings to its protected lists

14 office buildings added to protected lists

Christopher Beanland explores the underrated appeal of these palaces of pen-pushing