Undergraduate: University of Texas, Austin. Bachelor of Business Administration, 1971.
Graduate: New York University, Master of Business Administration, 1972.
Professional designation: Certified Public Accountant
Moved to Amarillo, Texas 1972
Employed as staff accountant at H.V. Roberson, CPA’s until 1978
Self-employed ever since with personal investments.
Founder: SAGEFirst, Inc. – Computer security based on implementing a change control or change prevention protocol for applications and operating systems. Such a protocol prevents worms, viruses, Trojan horses and other exploits that involve the loading and execution of arbitrary code. Besides preventing worms, viruses, etc……past present and future……this protocol eliminates the opportunity for malicious insiders to create mayhem.
Married with two sons in college.
My inspiration for Process Based Security (PBS) was pretty simple. One day I was reading about the next big exploit and realized it was all about getting "root" on a machine. People were exploiting programs that ran as root, to be able to do whatever they wanted, on that computer. Once someone was running as root, every program they ran also ran as root ad infinitum.
This told me there were a few problems with the current view of security:
1) People were being given access to system resources, when it was the programs they ran that actually used the resource.
2) Giving people access to resources meant that you had to give them all the access they would ever need, regardless of the program they were running at the time. This meant that when the user did a simple function like getting a directory listing, they could also read their e-mail. It was up to trusting the directory listing program not to read your e-mail that helped make things secure.
3) The kinds of access given weren’t anywhere near fine-grained enough.
Trying to solve these problems is what let to PBS. With PBS I decided:
1) Setup access rights based on the program and control users by controlling the programs they can run.
2) For each program, give it access only to what it needs (i.e. a directory listing program can only open directories for reading).
3) Allow for a lot more access control. Beyond the typical read, write and execute access, PBS also can do such things as read existing data but new data can only be appended. Program X can execute program Y (programs aren't marked as executable and then anyone can execute them. A program is given executable rights to another program and it is assumed the other program is a program [the OS checks for this anyway]. This keeps compromised web servers from starting shells).
4) Reduce the access given to a program to what it minimally needs to run.
While in the US Navy between 1978 and 1984, I was in charge of all crypto code for my shop on board the USS Midway as well as reporting to the CMS Custodian for security of all codes. My systems were NTDS tactical data systems where we changed codes based on security levels...my career began with security as a primary concern.
I have worked with different companies as a contractor such Bank of America for Microsoft; FedEx; UPS; IBM; US Navy; NASA; First Union; Bank of Boston; to name a few; security is our utmost concern.
Since I’ve been working with SAGEFirst since 2004 on different projects, the introduction of security as an appliance fit well into my experience with security while in the US Navy. Securing smart phone data is my primary concern today as it represents locations; bank accounts; communications with anyone in the world; my children's communications with others; insurance information; medical information; to name a few.
In today's world it is no longer a concern of "if your personal data will be compromised" it is a question of "when your personal data will be compromised". What concerns me that most companies are only concerned with how it affects them instead of how it affects the client, i.e., me and my family.
I view the world of data not as corporate data but as my data that resides on corporate servers. I cannot sit around "attempting to trust them", I need to "control my own data". For example, I do not leave my "wallet on a table for anyone to take advantage of", I consider that "my responsibility where I must safe guard my private information" and it is no different with smart phone devices. As the world of smart phone opens up, I need to control my data on that device, I need to take responsibility of my security as I would with my own wallet.
Corporate information on these devices also opens up security holes that must be addressed so that client information is not compromised so as a good community partner, the corporations can not only protect themselves but look for ways to help clients protect themselves so that we are both winners.