|
David is a Director of Program Management with the Microsoft Windows Security organization focusing on security design and engineering in the Windows platform. He joined Microsoft in 1998 and has made significant technical and architectural contributions to Microsoft products such as Windows 2000/XP/Vista, Windows Server 2003 and Exchange Server 2003. In addition, David has been a contributing author on a number of whitepapers and Microsoft Press books regarding Microsoft security and PKI. Prior to joining Microsoft, he spent two years as a Project Manager and Senior Architect with the Microsoft Solution Provider/Partner community and five years active duty with the aviation electronic warfare community of the United States Navy. David has spoken at over 100 internal and industry conferences around the world including TechEd, RSA, ITForum, PKI Forum and NISSC. David holds a B.S. in Computer Information Systems as well as an MBA in Management Information Systems.
| The Interview |
|
|
| Jeff Note: This text interview is NOT a exact transcript of the video interview, though there is a lot of overlap. The video is about 15 minute long. |
Jeff: So, David, I want to start by getting you to weigh in on the Clerks II trilogies debate - Star Wars or Lord of the Rings, which was better?
David: I like the older (more classic), so I'll have to say Lord of the Rings.
| Jeff Note: Some may be confused by this answer, since Star Wars is the older, but I think he's referring to the books, which are classic. | |
|
Jeff: Great - I'm going to ask other security pros this questions and we'll see who wins over time. Let's start with some personal questions - are you Married?
David: Yes, for six years, to Christine. Jeff: Any children or pets?
David: No children, but we have one dog and a Meyers parrot named "Kerberos", or Kerby for short?
Jeff: Kerberos is a great name for a security guy's pet. Does Kerby talk? Maybe I could interview him as well? |
David's Parrot Kerberos |
|
Jeff: What about hobbies or interests? Favorite move?
David: The best movie of all time in my mind is Dr. Strangelove. It is simply hilarious and I have must have watched it 100 times. My overall hobbies are reading (I am a big fan of Cold War history, both domestic and Soviet) and travelling around the world with my wife.
Jeff: One final personal question - where did you grow up?
David: I was born and raised in Michigan.
Jeff: Cool, another Midwesterner.
| Jeff Note: For those in the know, "the Midwest" in the USA are the states that formerly made up the Old Northwest Territory - Illinios, Indiana, Michigan, Ohio and part of Wisconsin. Wikipedia:Midwest says "Regional definitions vary from source to source", but take it from me, those other sources are wrong. |
Jeff: Okay, let's move on to some security questions? How did you first get started in computer security? |
|
David: I have always had a natural passion and interest in security and security technologies. My father was a cryptographic technician in the Navy which spawned my interest at a very young age that persisted throughout my career.
Jeff: Who were your security influences? Any security industry folks you admire?
David: The first security book I bought was the first edition of Applied Cryptography by Bruce Schneier. This set my interest in PKI in motion long before Microsoft. I was determined to make security and PKI technologies easier to deploy and usable for everyone. |
Click for details |
|
Jeff: Is that your favorite security book? Put another way, if there were only one security book you could recommend, what would it be?
David: I definitely have a favorite book that I recommend to new and old to the security industry. It provides a great history and basis for security design that is easy and fun to read - Security Engineering by Ross Anderson.
| Jeff Note: It turns out that Ross has talked Wiley into letting him publish his book electronically, by chapter, and also making some audiobook chapters available. I recommend it too, and if you want a paper copy, Ross's site has links to buy it as well. | |
Free download |
|
Jeff: Let's shift gears again, this time to Microsoft. How long have you been working in security at Microsoft?
David: Almost 9 years now. My first 2 years at Microsoft were with Microsoft Consulting Services designing and deploying Security solutions with some of our largest customers. This was an extremely valuable experience that has given me a framework and baseline for building security solutions that customers can actually deploy and use. The rest of my career has been spent in the Windows Security organization.
Jeff: How did you end up joining Microsoft? Did you work in security at other places first?
| Jeff Note: David has a very interesting answer on this, but you'll have to watch the video to hear it. |
Jeff: What are some of the security features that you've contributed to Microsoft products ? What product did they first go into?
David: I've worked on various PKI efforts, the encrypting file system, credential roaming, and volume encryption, among other things. The projects have been in the Windows Security organization and contributed to Windows 2000 and other Windows releases up to and including Windows Vista. That's not a complete list.
Jeff: What security feature in Windows Vista (not necesarilly one you developed) are the most happy to see in the product?
| Jeff Note: Short answer: User Account Control (UAC), watch the video to hear more detail on why. |
Jeff: Do you hold any patents for your security work at Microsoft?
David: Actually, I'm on 15 patents that have been submitted, but they are all pending and haven't yet been granted.
Jeff: What about security standards work - have you contributed to any?
David: Yes, I've contributed as part of the Microsoft team on X.509 work (http://www.ietf.org/rfc/rfc3709.txt), the PKIX work (http://www.ietf.org/rfc/rfc4556.txt), as well as XML Key Management working group (http://www.w3.org/2001/XKMS/Minutes/20020906-f2f3).
Jeff: One final question - what security colleagues are grateful to get to work with?
David: Numerous, but to name 2 or 3 off the top of my head - Paul Leach, Richard Ward and Steve Lipner are some that I particularly admire and look up to. They have all contributed so much to the industry and Microsoft and are simply brilliant. |
| Bibliography - The Written Security Word of David B. Cross |
|
Certificate Revocation and Status Checking, January 2006
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure, July 2004
Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003
Key Archival and Management in Windows Server 2003, December 2004
Windows Server 2003 PKI operations and configuration guide, July 2004
Configuring and Troubleshooting Windows 2000 and Windows Server 2003 Certificate Services Web Enrollment, June 2004
PKI Enhancements in Windows XP Professional and Windows Server 2003, May 2003
Certificate Autoenrollment in Windows Server 2003, April 2003
Encrypting File System in Windows XP and Windows Server 2003, April 2003
The CAPIMON tool, November 2003, CryptoAPI Monitor (CAPIMON) allows an administrator to monitor an application’s CryptoAPI calls and the results.
Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services, August 2003, The Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services runs on the Windows Server 2003 family. It provides support for the SCEP protocol which allows Cisco routers and other intermediate network devices to obtain certificates.
Certificate Enrollment in Windows CE .NET, August 2002
Windows 2000 Server and PKI: Using the nCipher Hardware Security Module, April 2001
Adding Revocation Providers to CryptoAPI for Identrus Applications, December 2001 |
|
