Securitys Heaviest Hitters

Opinion: Three have wielded the most clout in a star-studded lineup.

In my five years covering security for eWEEK, I was privileged to meet and get to know some of the brightest and most dynamic people in the industry, many of whom helped create and define the security community as we know it today. So when I got an e-mail from the folks running the RSA Conference, which takes place this week in San Jose, Calif., asking me to help them choose the 15 most influential people in the security industry, I jumped at the chance.

Luckily, I only had to come up with my top three, not the entire 15. However, even that was a tall order, given the long list of men and women who have made significant contributions to the industry in the last few decades.

A few names came to mind immediately: Whit Diffie and Marty Hellman; Marcus Ranum; Ron Rivest, Adi Shamir and Len Adelman; Bruce Schneier; and Steve Bellovin—among others. Each is eminently deserving of a vote, and, from what I saw of the list of names compiled by RSA, each received his share.

/zimages/3/28571.gifClick here to read about Phil Zimmermanns latest venture.

But the RSA folks asked for my top three, so here is what I sent them, in no particular order.

Phil Zimmermann: As the inventor of PGP (Pretty Good Privacy), Zimmermann is a revered figure in the security and privacy community. Its true that his work would not have been possible without the breakthrough made by Diffie and Hellman, who came up with the idea of public-key cryptography, or without Rivest, Shamir and Adelman—the men who not only founded and lent their initials to RSA Security but also invented the RSA algorithm and, with it, the science of modern computer cryptography.

But it was Zimmermann who took the ball and ran with it. He developed the first relatively easy-to-use commercial encryption software and then proceeded to give it away for free as an end run around the U.S. governments efforts to prevent the export of strong cryptography. He uploaded PGP to the Internet in 1991, putting serious encryption in the hands of the masses for the first time.

This made it possible for average citizens to carry on completely private communications on public networks and, in the bargain, caused God knows how many sleepless nights for the spooks at Fort Meade.

The Lopht: These guys, along with Cult of the Dead Cow, were among the first wave of independent research collectives to begin shouting about the serious vulnerabilities in most commercial software and, by extension, the Internet.

They were the ones who began holding Microsoft, Oracle and other vendors accountable for the vulnerabilities in their code. Researchers such as the Litchfields, Thor Larholm, Marc Maiffret and others have their forerunners at the Lopht to thank for the nice livings they make finding and fixing vulnerabilities.

/zimages/3/28571.gifTo read the Microsoft Trustworthy Computing timeline, click here.

And users everywhere also are indebted to Mudge, Weld Pond and their pals for helping improve the quality of all software.

Bill Gates: No, thats not a misprint. Everything that Gates and Microsoft do affects the entire industry, for good or ill. And he has had a massive effect on the security industry, both good and bad.

He certainly should bear his share of the blame for Microsofts security problems over the years, considering he was usually the one exhorting the troops to cram more features into the applications and ship them on time, security be damned.

But, ever since he hit the send button on his famous Trustworthy Computing memo in 2002, Gates has been at the forefront of the companys efforts to make security a top priority.

In addition, Microsofts work in training developers companywide in secure coding practices is virtually unparalleled among major software vendors.

Throw in the various improvements in the companys patching process, security features in Windows and other efforts, and Gates Trustworthy Computing strategy now looks like a major success, and one that has transformed his company and much of the industrys thinking about security in just four years.

The great thing about lists like this is the discussions they generate. So let me hear who you would have picked and what you think of these choices.

News Editor Dennis Fisher can be reached at

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.