Paranoid Penguin - Interview with Marcus Meissner

Recently, after receiving one of SUSE's regular security-update e-mail messages, it occurred to me that people who track security vulnerabilities for Linux distributions really are in the front lines of Linux security. I have the luxury of examining one command here, one architecture there, but these people track threats and vulnerabilities for entire operating systems.

And, for a moment, I was fearful. What if this occurs to my editors, who might reach the obvious conclusion that the Paranoid Penguin really ought to be authored by a real expert, like SUSE Security Team Lead Marcus Meissner, rather than this goofball Mick?

But, of course, if they fired me, I'd be forced to release those photos I took of them back in 2003 on the Linux Lunacy cruise, and nobody wants that to happen. Think of the disillusionment and embarrassment, not to say indigestion, this might cause! I, for one, do not wish to be party to such a vile media circus. (Unless that party features the TCP/IP Drinking Game, like at Def Con—good times! Then again, that's the kind of thinking that landed my editors in this pickle.)

So, you're stuck with me for the foreseeable future, gentle reader. But, take heart! This month you get both me and wisdom: Marcus Meissner graciously agreed to an interview, in which we talked about practically every major topic in Linux security I could imagine.

As you can see, Marcus has useful and interesting insights on all of these topics. Read, learn and enjoy.

MB: Thanks so much for taking the time to chat with Linux Journal! By way of introducing you to our readers, I'd like to start with a question or two about your background.

Marcus Meissner

MM: Thank you for interviewing me!

MB: Could you describe your duties at SUSE as Security Team Lead?

MM: My duties as Security Team Lead are mostly overseeing security-related work done for the SUSE Linux/OpenSUSE product lines. My team has three people and one trainee currently, so there still is time left for myself to be involved in the groundwork.

What my team does can be split into two parts: reactive work and proactive work.

Reactive work is what you know of as coordinating security updates for security incidents for the products currently under support. This involves reading mailing lists, watching the bug tracker, watching the internal update release processes and giving answers to packagers, QA and others wanting to know about the updates.

Proactive work consists mostly of reviewing security-related changes for future products, adding new security features for those and, of course, actively reviewing and auditing source code for flaws and fixing them.

My typical day is mostly lots of communication spread over the whole day: reading and answering e-mail, instant messages, phone calls and, of course, meetings. All this is done mostly to get the above-listed security tasks taken care of, so there are not specific phases of the day. Occasionally, I still do some programming and handling of the packages I maintain in the distribution.

MB: You started out at SUSE on its PowerPC Maintenance Team, right? Why did you go to the Security Team?

MM: Historically, I had been working in the security field already in my last year (2001) at Caldera. After coming to SUSE, there was no need for another security engineer there, so I had different tasks. I started out doing various non-PowerPC-related development my first year at SUSE, but gravitated in the end to the PowerPC Development Team.

In 2004, however, I wanted a bit more responsibility, and then SUSE started looking for a lead for the Security Team. So, the offer of interesting work, more responsibility and my first people management job got me into it in the end.

MB: Do you have any formal training in information security? (This is sort of a trick question: many of my most accomplished colleagues are mostly self-taught.)

MM: Portions of it I got from university, such as basics on cryptography, protection models like Bell-LaPadula and information leaks via side channels.

But, most of my information security training was on the job and by self-education, because it was not very high on the list of must-haves in the universities in the middle of the 1990s.

MB: How has your background in software development informed your work as a security professional?

MM: Lots of the low-level work of security in the Linux distribution area is actually bug fixing and helping others design and write good code to avoid bugs. So, yes, my background in software development was a must for this job.