Pete Herzog

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Pete Herzog born October 5, 1970, is a security analyst, neuro-hacker and social-engineering practitioner, creator of the OSSTMM, and the co-founder of the open, non-profit, security research organization, ISECOM.[1] He has been recognized[by whom?] for the many tools, documents, and methodologies he provides freely through ISECOM. He also started the Hacker Highschool Project to provide information security awareness to teens, the Home Security Methodology Vacation Guide as a thorough checklist to securing a home, the Smarter Safer Better project to teach trust analysis and critical security thinking to non-security people, and the Bad People Project to find a set of common safety rules for children which are free of cultural bias. He taught Business Security in the ESADE MBA program and Information Security in the La Salle URL Masters program, both in Barcelona, Spain.

Herzog was born in Brooklyn, NY, USA. He attended High School in Queensbury, NY. He earned a Bachelor degree from Utica College of Syracuse University in 1993. He currently resides near Barcelona, Spain.

In 2001, Herzog created the Open Source Security Testing Methodology Manual (OSSTMM) and provided it for free to the public. In 2002 he did the same with Hacker Highschool, creating 12 lessons with volunteers and providing them for free to the public. In 2008, the Hacking Exposed Linux 3 book came out, attributed to ISECOM but Herzog was named as Project Leader. He wrote the first three chapters which specifically talk about using the OSSTMM to test Linux security and integrated the OSSTMM into other chapters.

There is very little written about him in terms of his work experience except what is written in interviews.

"Without admitting to the 'bad stuff' let's say I started in physical security. At age 16 I hung out with the store detectives where I worked. By 18, I was kind of an authority at my university on identification fraud even working to teach local businesses on how to know a real I.D. from a fake. That summer I was hired to do "beer stings" to test store clerks to see how far I could push them to sell me beer illegally but stopped after a couple months because I never had the heart to fire those who failed (I only gave stern warnings). By my last year in University, I worked in the computer lab battling disk viruses and breaking copy protection for professors who wanted to "try" unlicensed software. At the same time, I was paying for school by working sting jobs for a couple chains to catch embezzlement as well as point out other security lapses. Unfortunately, I stepped away from security after college for a few years while chasing dreams and some bad ideas too. Although security was often part of my various jobs, I didn't consider it as a profession until IBM Germany tapped me to be on their ethical hacking team. So I left my cushy software-testing job at Intel to be a full-time hacker. The rest is all security after that."[2]

Later, in an interview with LearnSecurityOnline, he expands on the "bad stuff" he refers to:

"My experience begins with work in physical and human security doing undercover sting operations and clean-up work (we also called it "fire and hire" but also "hack and slash" when there was a real mess) which supported my want of that expensive computer equipment in the 90s. But I always had a my own sense of fairness. This frustrated my employers because I wouldn't always turn in the guilty if I thought they didn't deserve punishment. For me it was always about what was fair and I still do not equate the law with justice. So like most anyone who began their history in security with the start of the Internet, we were travelers and spelunkers across this new channel and only later called hackers or crackers when the few bad apples made the news. But back then most of us were curious and not malicious. Personally, I did no harm. But then again I respect what other people have and their privacy. They don't build fences for people like me." [3]

In an October 2015 article for Opensource, Herzog explains why he worked with open source and why he created the Open methodology License:

"Later we learned that a methodology couldn't be copyrighted as it was legally considered a trade secret. All I was doing was copyrighting the written words, but not protecting the method. What we needed was an open trade secret, which didn't exist. So I talked to lawyers. I spent a weekend creating the Open Methodology License (OML), which originally borrowed heavily from the GPL with the only purpose of labeling something as a Trade Secret with the owner being everyone. An open trade secret. Go figure. That let us keep the methodology open and free while restricting forks and rewrites of the document as a standard that industries could uphold for regulatory requirements."[4]

Videos and Podcasts with Herzog:
2015 RVAsec presentation on Hacking the Stock Market
2014 RVAsec presentation on Security Awareness
2010 SecTor Canada Presentation on Trust
2010 #days Switzerland on Security Research and Philosophy
2010 Eurotrash Security Podcast Interview
2010 CyberPatriot Interview
2009 BlackHat Amsterdam Interview
2008 Swiss Symposium about OSSTMM
2007 FOSDEM presentation on Security Testing
2003 Hacker Highschool Teacher class