||This biographical article needs additional citations for verification. (July 2009)|
Pete Herzog born October 5, 1970, is a security analyst, neuro-hacker and social-engineering practitioner, creator of the OSSTMM, and the co-founder of the open, non-profit, security research organization, ISECOM. He has been recognized for the many tools, documents, and methodologies he provides freely through ISECOM. He also started the Hacker Highschool Project to provide information security awareness to teens, the Home Security Methodology Vacation Guide as a thorough checklist to securing a home, the Smarter Safer Better project to teach trust analysis and critical security thinking to non-security people, and the Bad People Project to find a set of common safety rules for children which are free of cultural bias. He taught Business Security in the ESADE MBA program and Information Security in the La Salle URL Masters program, both in Barcelona, Spain.
Herzog was born in Brooklyn, NY, USA. He attended High School in Queensbury, NY. He earned a Bachelor degree from Syracuse University in 1993. He currently resides near Barcelona, Spain.
In 2001, Herzog created the Open Source Security Testing Methodology Manual (OSSTMM) and provided it for free to the public. In 2002 he did the same with Hacker Highschool, creating 12 lessons with volunteers and providing them for free to the public. In 2008, the Hacking Exposed Linux 3 book came out, attributed to ISECOM but Herzog was named as Project Leader. He wrote the first three chapters which specifically talk about using the OSSTMM to test Linux security and integrated the OSSTMM into other chapters.
There is very little written about him in terms of his work experience except what is written in interviews.
"Without admitting to the 'bad stuff' let's say I started in physical security. At age 16 I hung out with the store detectives where I worked. By 18, I was kind of an authority at my university on identification fraud even working to teach local businesses on how to know a real I.D. from a fake. That summer I was hired to do "beer stings" to test store clerks to see how far I could push them to sell me beer illegally but stopped after a couple months because I never had the heart to fire those who failed (I only gave stern warnings). By my last year in University, I worked in the computer lab battling disk viruses and breaking copy protection for professors who wanted to "try" unlicensed software. At the same time, I was paying for school by working sting jobs for a couple chains to catch embezzlement as well as point out other security lapses. Unfortunately, I stepped away from security after college for a few years while chasing dreams and some bad ideas too. Although security was often part of my various jobs, I didn't consider it as a profession until IBM Germany tapped me to be on their ethical hacking team. So I left my cushy software-testing job at Intel to be a full-time hacker. The rest is all security after that."
Later, in an interview with LearnSecurityOnline, he expands on the "bad stuff" he refers to:
"My experience begins with work in physical and human security doing undercover sting operations and clean-up work (we also called it "fire and hire" but also "hack and slash" when there was a real mess) which supported my want of that expensive computer equipment in the 90s. But I always had a my own sense of fairness. This frustrated my employers because I wouldn't always turn in the guilty if I thought they didn't deserve punishment. For me it was always about what was fair and I still do not equate the law with justice. So like most anyone who began their history in security with the start of the Internet, we were travelers and spelunkers across this new channel and only later called hackers or crackers when the few bad apples made the news. But back then most of us were curious and not malicious. Personally, I did no harm. But then again I respect what other people have and their privacy. They don't build fences for people like me."