Interview with Bill Cheswick

Bill Cheswick logged into his first computer in 1969 and has worked on operating system security for more than 25 years. Since joining Bell Laboratories in 1987, he has worked on network security, PC viruses, mailers, the Plan 9 Operating system, and kernel hacking. With Steven Bellovin, he co-authored Firewalls and Internet Security: Repelling the Wiley Hacker.

Rob Kolstad and Bill Cheswick conducted this interview over email during November and December of 1997.

Rob You've been at the labs for many years. How did you get to your current position?

Bill I was hired as a system administrator: what a great place to learn things. The "less-is-more" approach to programming and system design appealed to me greatly. Subsequently, I met Norman Wilson at a Decus conference, and we became close friends. He was an important link to the labs.

By the way, I strongly recommend that engineers insist on attending a couple conferences a year so they can rub shoulders with leaders in their field and get a good perspective of the issues in their area. This can be negotiated with prospective employers during the hiring process.

I was a system administrator and postmaster for the Computer Science Research Group for several years. I relieved Dave Presotto of the postmaster job because I wanted to learn the ropes on email and the emerging Internet. I also took over the firewall he had built. This I redesigned and reimplemented several times.

By the mid-1990s it was clear that I was more useful as a consultant and speaker than as a postmaster. Bob Flandrena and Paul Glick now handle this unenviable task.

Rob And your current position is in Lucent, right? How has the split-up affected your job?

Bill Yes, I stayed with Bell Labs, which is part of Lucent. I stayed in the same office and company after the AT&T/Lucent split. Many of my friends and colleagues went to AT&T Research, and I miss them. I am glad I stayed with the hard scientists, though.

My work is about the same. Lucent has seemed to be much more eager to develop our projects than AT&T was. I think the folks at Basking Ridge (AT&T) may have mistrusted the labs a bit. (For example, I couldn't sell anyone on a firewall product back in 1991.) Lucent management made Murray Hill the corporate headquarters, and it is clear to me that they have been using the labs a lot more. For example, the patent office has snapped up a couple of ideas I gave them a couple years ago.

There's still plenty of basic or long-term research going on, and I think we have given up trimming the Physics staff.

Rob How go the book sales? Are you chasing the wily hacker, new edition, any time soon?

Bill We are at a slow exponential decay on book sales. Steve and I have been working on the second edition, and clearly some stuff is really dated. For example, the first edition says that email is the primary reason many people connect to the net.

The general stuff is still good, and we are focusing a bit more on that. Also, firewalls aren't quite the same thrust now: they are a useful tool, but there's lots of other aspects to Internet security.

So the second edition is coming along, but I wouldn't hold your breath: we both have a lot of other things to do.

Rob How long does it take to assemble a book like yours?

Bill Months and months. It's like an English assignment that never goes away. The good news is that I am usually writing about something I understand, which wasn't true in English class. Sometimes I'll come to a section and realize that I don't know what I am talking about. I have to take a break and spend some time coming up to speed. For both Steve and me, the consequences of the first edition are taking a lot of our time, so progress is slow.

Arno Penzias, our Nobel prize-winning former VP, said that mundane work forces out creative work. I remember this and try to focus on writing, but email is seductive. I have to ignore the world for a while to get work done.

Basically, I have to quit whining and get to work.

Rob What interesting projects are you working on these days?

Bill Not much, actually. The book is job one, officially. But I have spent time as a poster boy for Lucent, taking junkets here and there. I am recovering from foot surgery, which took a lot of time, and the physical therapy still does.

When the book is done, I may work on dnsproxy and its relation to DNSsec. There are lots of things to do. A simpler ssh? Write the old blit games in Java or Limbo? I have far more ideas than I have time to work on them. Arno says this is a good sign.

Rob You've been in and around so many neat projects. What's the coolest technology that you've seen recently?

Bill Hmm. Submillimeter radar mapping comes to mind. You get an instant topo map of an area. A satellite can take a picture of earth-deformations around an earthquake zone, accurate to about a millimeter.

Genome summaries. The journal Nature has published the source code for two different bacteria in the past year. We understand what only about half of the proteins do right now, but it is way cool to see the summaries so far: these proteins scavenge iron, this one pumps arsenic out of the cell, these are involved in DNA repair, etc., etc. You don't have to be a molecular biologist to find these true nanomachines interesting. If you are tired of amateur hackers, go learn some chemistry and do some real computing.

I'll put in a plug for Inferno here. It took me about two days to get up to speed on it. The cool thing about less-is-more programming is there is much less to learn. The two complete Inferno manuals are smaller than one Idiot's Guide to Using Windows 95.

At the Hackers conference last month, there was a motorized hobby horse that simulates the motion of the Loma Prieta earthquake. I dropped a quarter in to check out the motion before spending another two bits to actually ride it.

GPS still amazes me, and now it is under $100, $125 with CD-ROM map. Who'd have thought that the speed of light could be so manageable?

Chips that perform bulk analysis of DNA sequences and proteins will change the world of diagnostics over the coming years. And yes, I really do want to know if I am prone to a particular disease. The human body needs a good mechanic. I regret that I will never know the results of my own autopsy.

Rob Any observations on the communication industry and where it's headed?

Bill Other than predicting the Y2K problem in 1970, I haven't been very good at prediction. I'll take a couple easy (and obvious?) shots:

• The net will keep growing, but at a moderated rate. Duh. So will most leading network companies, which remain a fine place to invest your savings.
• Internet telephony (and video) are doomed to remain small potatoes as long as the Internet retains its current general configuration and technology. Neither is likely to change quickly. The IP model was not designed to handle "isochronous" data, as the phone system is. An empty Ethernet or backbone can handle voice pretty well, but there is no financial incentive for the ISPs to deploy enough extra capacity to handle it well. You will still be able to call Bolivia on Sunday morning over the Internet, but I don't think you will want to on Wednesday afternoon. It will sound like the mbone.
• I am told that Moore's law is good until around 2010. If so, digital cameras are really going to be terrific in a few years. Sometimes I wonder what it would (will) be like when a $0.02 IC has an IQ of about 70 and a little microphone and speaker. What would an intelligent light bulb do? Would it carry on a discussion with the refrigerator when I am not home? Would we have an ANSI command set for it?
• Crypto will become ubiquitous and strong. Those fast Intel chips are even better for crypto than multimedia.
• The worst effects of the information age won't be drug lords and porn kings with unreadable records. They will be targeted biological weapons. Imagine an airborne HIV with the infectivity of the flu or one that is especially lethal to [your least favorite ethnic group]. These arms races parallel the Internet arms race (and all the other ones), but may turn out to be much nastier. Not a cheerful prediction, and I don't really know how to prepare for this. But I think my children will see it.