The world’s first computer doc has a security prescription

The man who wrote the original anti-virus program tells Paul Rodgers he wants to make data safer

Where Sergey Brin and Mark Zuckerberg have made geekdom funky, Peter Tippett is a bit of a throwback. He has on a grey suit with a conservative blue tie when we meet; his hair would please a marine drill sergeant and he wears wire-frame glasses that are almost as unstylish as (though undoubtedly more expensive than) mine.

But in his own fashion, Tippett has been just as revolutionary as the founders of Google and Facebook. Long before the internet took off, in the days when software spread from one machine to another on 5 1/4-inch floppy disks, Tippett wrote the world’s first anti-virus program, called Vaccine – at the same time inventing, almost as an afterthought, the undo command (control Z in many applications) and the restore disk. He also built not one but two big security companies, the first evolving into the business now known as Norton.

Along the way, he developed a security philosophy that is so full of common sense, yet so defies commercial imperatives, that one can only conclude that the buying public is mad. “This is how we’ve done security in the real world for ever,” says Tippett, leaning forward to make his point with an enthusiasm that belies his dour dress sense. “Why people don’t want it on their computers is beyond me.”

Most people consider themselves lucky to have a single career. Tippett has qualified for six. For starters he’s a pilot, licensed to fly jumbo jets loaded with passengers across oceans. “I’ve been flying since I was 15,” he says. “It’s my hobby.” He also has a PhD in biochemistry from Case Western Reserve University in Cleveland, and a commercial radio engineer certificate. Plus he’s a medical doctor, which led, circuitously, to his jobs as entrepreneur and security guru.

“For 32 years I’d had no income,” he says. “When I got my first job as a doctor I didn’t know what to do with the money, so I hired four guys and put them to work writing programs in my living room.”

That was shortly before the first computer virus was developed by Frederick Cohen at Lehigh University in Pennsylvania in 1983. Tippett and his chief programmer met a Lehigh student at a trade show in California and got a copy of the virus from him. “Writing Vaccine took us five weeks, including the manual and the sales brochure,” says Tippett.

Yet when McAfee came along three years later with its own anti-virus suite, it quickly ate into Vaccine’s still-small sales. The two programmes worked with philosophies that were diametrically opposed. Vaccine checked that the software on your machine was approved and hadn’t been tampered with. Anything else it considered to be a threat, an approach known in the jargon as “default denial”. McAfee’s program allowed any bit of code as long as it wasn’t on its list of known viruses, an approach called “default permit”. When a new bit of malicious programming emerged, McAfee had to get a copy, write a bespoke response, and distribute it to customers. “It’s like putting a big sign outside your house inviting everyone in to root through your stuff as long as they’re not convicted criminals,” says Tippett in his slightly nasal Michigan accent. “It’s not what we do in the real world.”

The story reminds me of the superiority of Betamax over VHS in the late 1970s, and of Apple over Microsoft a decade later. So why didn’t buyers go for the better product in this case? “What people wanted from an anti-virus program,” says Tippett, “was the ‘scan’ function.” They wanted to be reassured that every line of code had been checked.

For now, at least, the battle has been lost. Like McAfee, Norton works on a “default permit” philosophy these days. And Tippett has moved on. By the start of the 1990s he was an acknowledged expert on information security, and advised the US Joint Chiefs of Staff on cyber warfare during Desert Storm in Iraq. He sold his company to Symantec in 1992, though he stayed on to help them for more than two years. “I left after they decided they didn’t want me to be chief executive,” he says candidly, adding: “I don’t hate them; they bought me a jet plane.” A little one, he adds.

Tippett made his second fortune building Cybertrust, a company that would eventually become the Virginia-based security arm of Verizon, the world’s largest internet service provider, where it does, among other things, the lion’s share of the forensic work after hackers break into corporate and government databases. And its a Verizon report on this work, in its own way as iconoclastic as Vaccine, that he’s here to talk about.

“Computers are at the same point in the growth cycle as airlines were at the time of the DC3,” he says. “Back then we could fly to France, but we’re 5,000 times less likely to die doing it today. How did we make airlines so safe?” The answer, he says, is rigorous scientific investigation of every case where the system fails.

Admitting that corporate firewalls have been breached and sensitive customer data, often financial data, have been stolen is bad for business, he says, so only a third of cases are reported publicly, usually because its a legal requirement. Verizon, however, investigates 90 per cent of such cases around the world, putting it in a unique position to analyse who the hackers are and how they work. The results contradict many popular myths in the information security world.

It is widely thought, for example, that most hacks start with an insider. But Verizon’s stats show that only 11 per cent of cases are down to employees acting alone, while in another 9 per cent outsiders are helped inadvertently by an employee’s actions. Seventy-four per cent of hacks involve outsiders, says Tippett. And those outsiders were far more effective thieves, stealing 99.9 per cent of the records. The remaining cases are initiated by people from partner organisations, such as suppliers, with access to the target’s computer network.

The hackers are also unlikely to work for state organisations – the popular KGB scenario. While there’s no evidence of governments backing hackers, plenty of it points to known organised crime gangs.

Tippett also pours cold water on some of his industry’s favourite remedies, such as encrypting every piece of data, applying security patches immediately, or using long passwords. Most uses of encryption won’t stop hacking, he says – though it might be helpful on easily stolen laptops – few cases of data theft involved recently discovered vulnerabilities in the system and when thousands of user names are being attacked, an eight-digit code is only slightly more secure than one five digits long. The bigger risk is that passwords will be left on the default settings, such as “admin” or “password”, especially on servers.

What’s needed, he says, are layered defences, each catching most, though not all, attempts at invasion. “The number one thing to do,” he says. “is a lot of little things.”

PROMOTED VIDEO
News
A 1930 image of the Karl Albrecht Spiritousen and Lebensmittel shop, Essen. The shop was opened by Karl and Theo Albrecht’s mother; the brothers later founded Aldi
people
News
Lane Del Rey performing on the Pyramid Stage at Glastonbury 2014
people... but none of them helped me get a record deal, insists Lana Del Rey
Life and Style
fashion Designs are part of feminist art project by a British student
Arts and Entertainment
Dwayne 'The Rock' Johnson stars in Hercules
filmReview: The Rock is a muscular Davy Crockett in this preposterous film, says Geoffrey Macnab
News
i100
Arts and Entertainment
British author Howard Jacobson has been long-listed for the Man Booker Prize
books
News
ebookA unique anthology of reporting and analysis of a crucial period of history
Life and Style
tech
Arts and Entertainment
Standing the test of time: Michael J Fox and Christopher Lloyd in 'Back to the Future'
filmA cult movie event aims to immerse audiences of 80,000 in ‘Back to the Future’. But has it lost its magic?
Sport
Louis van Gaal watches over Nani
transfers
Arts and Entertainment
Flora Spencer-Longhurst as Lavinia, William Houston as Titus Andronicus and Dyfan Dwyfor as Lucius
theatreThe Shakespeare play that proved too much for more than 100 people
News
exclusivePunk icon Viv Albertine on Sid Vicious, complacent white men, and why free love led to rape
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

iJobs Job Widget
iJobs Money & Business

Cost Reporting-MI Packs-Edinburgh-Bank-£350/day

£300 - £350 per day + competitive: Orgtel: Cost Reporting Manager - MI Packs -...

Insight Analyst – Permanent – Up to £40k – North London

£35000 - £40000 Per Annum plus 23 days holiday and pension scheme: Clearwater ...

Test Lead - London - Investment Banking

£475 - £525 per day: Orgtel: Test Lead, London, Investment Banking, Technical ...

Business Analyst - Banking - Scotland - £380-£480

£380 - £480 per day: Orgtel: Business Analyst - Banking - Edinburgh - £380 - ...

Day In a Page

Noel Fielding's 'Luxury Comedy': A land of the outright bizarre

Noel Fielding's 'Luxury Comedy'

A land of the outright bizarre
What are the worst 'Word Crimes'?

What are the worst 'Word Crimes'?

‘Weird Al’ Yankovic's latest video is an ode to good grammar. But what do The Independent’s experts think he’s missed out?
Can Secret Cinema sell 80,000 'Back to the Future' tickets?

The worst kept secret in cinema

A cult movie event aims to immerse audiences of 80,000 in ‘Back to the Future’. But has it lost its magic?
Facebook: The new hatched, matched and dispatched

The new hatched, matched and dispatched

Family events used to be marked in the personal columns. But now Facebook has usurped the ‘Births, Deaths and Marriages’ announcements
Why do we have blood types?

Are you my type?

All of us have one but probably never wondered why. Yet even now, a century after blood types were discovered, it’s a matter of debate what they’re for
Honesty box hotels: You decide how much you pay

Honesty box hotels

Five hotels in Paris now allow guests to pay only what they think their stay was worth. It seems fraught with financial risk, but the honesty policy has its benefit
Commonwealth Games 2014: Why weight of pressure rests easy on Michael Jamieson’s shoulders

Michael Jamieson: Why weight of pressure rests easy on his shoulders

The Scottish swimmer is ready for ‘the biggest race of my life’ at the Commonwealth Games
Some are reformed drug addicts. Some are single mums. All are on benefits. But now these so-called 'scroungers’ are fighting back

The 'scroungers’ fight back

The welfare claimants battling to alter stereotypes
Amazing video shows Nasa 'flame extinguishment experiment' in action

Fireballs in space

Amazing video shows Nasa's 'flame extinguishment experiment' in action
A Bible for billionaires

A Bible for billionaires

Find out why America's richest men are reading John Brookes
Paranoid parenting is on the rise - and our children are suffering because of it

Paranoid parenting is on the rise

And our children are suffering because of it
For sale: Island where the Magna Carta was sealed

Magna Carta Island goes on sale

Yours for a cool £4m
Phone hacking scandal special report: The slide into crime at the 'News of the World'

The hacker's tale: the slide into crime at the 'News of the World'

Glenn Mulcaire was jailed for six months for intercepting phone messages. James Hanning tells his story in a new book. This is an extract
We flinch, but there are degrees of paedophilia

We flinch, but there are degrees of paedophilia

Child abusers are not all the same, yet the idea of treating them differently in relation to the severity of their crimes has somehow become controversial
The truth about conspiracy theories is that some require considering

The truth about conspiracy theories is that some require considering

For instance, did Isis kill the Israeli teenagers to trigger a war, asks Patrick Cockburn