Karl Kasper (better known as Tan or John Tan); former member of Hacker Think_tank, the L0pht and co-founder of @stake.

Education

edit

In 1993, Tan earned a B.S./B.A. in Management_science from Northeastern_University,_Boston School of Business [1]. His concentration was Management Information Systems.

L0pht

edit

In 1996, Tan joined the L0pht [2], a hacker think-tank and hang-spot for many of the Computer_security elite. As a resident at the L0pht, Tan published an advisory on Novell Netware 3.x [3]; one of the first of the L0pht's Full_disclosure security advisories dating back to 1996. Tan also organized the L0pht as a business (an S-corporation) which grew from 1997 through 1999 and was eventually merged with @stake [4].

While with the L0pht, Tan published two major white papers, the first of which was Cyber UL [5] which was a widely cited paper, characterized as a "no holds barred look at what's wrong with software and professional security certifications" (1999). The paper demonstrates a conflict of interest between those funding the certification process and those performing it and shows how the Insurance industry may be the only credible funder that comes to mind (Underwriters_Laboratories). Tan's second white paper, "Online Banking: Everyone's a @#$%Z^&* Expert" compares: face to face, Automated_teller_machine and Online_banking transactions, demonstrating an architectural problem with the online model (trusting home PCs). Written in 1999, it serves as a pre-cursor to the spirit going into the original 2005 FDIC/Ffiec Guidance on Authentication for Internet Banking [6]. Unfortunately, push-back from the financial industry lead to unclear guidelines giving rise to a new breed of Snake_oil in the multi-factor authentication (Two-factor_authentication) space.

In 1998, Tan testified with 6 other L0pht members, before the U.S._Senate_Committee_on_Government_Affairs [7]. As a member of the L0pht, he also spoke at SANS_Institute, at Northeastern University's chapter of the Association_for_Computing_Machinery, at Boston_College for Professor Gallaugher [8] and elsewhere.

@stake

edit

In 2000, the L0pht joined Dan_Geer, Forrester_Research analyst Ted Julian, and a cast of consulting industry types to launch @stake [9]. Tan's role with @stake brought his next major white paper, Forensic Readiness [10] in @stake's Secure Business Quarterly [11]. Tan also played the lead technical role for a number of cyber investigations, the most notable and public of which was The US v. R Duronio [12](Computer_fraud_case_studies#Case_3:__Malicious_Systems_Admin_at_UBS). The incident involved the sabotage of over 1000 Sun_micro (Solaris_Operating_System) and IBM (IBM_AIX_(operating_system)) systems across the country and caused millions in damages. Under Tan's technical leadership, the @stake team was able to identify a Perpetrator and produce enough Evidence for the initial Search_warrant. From there, Tan's "Findings for Evaluation as Evidence" report was used by the Assistant_United_States_Attorney, along with financial records and witness accounts, to produce an 2002 Indictment [13], a 2006 guilty Verdict [14], an 8 year Sentence_(law), and over a million dollars in fines [15] against a Defendant that pulled out every defense in the book including attacks on the evidence [16] and those involved in the investigation [17] including (but not limited to) Tan himself. The evidence (both digital and other) held solid and sets a number of important precedents for the use of digital evidence in court.

While with @stake, Tan presented at Black_Hat_Briefings [18], CANSECWEST [19], the M.I.T. Summer Security Camp [20] and many other venues. He left @stake Q2 of 2003.

Current

edit

Independently, Tan made an uncredited appearance in the 2004 Hamptons_International_Film_Festival selection, Votergate [21](IMDB title ID tt0435771 [22]), speaking out against the quality of the Diebold_Election_Systems source code [23] from a security standpoint.

John Tan has since returned to the financial services industry where he has 12 years experience in Information_technology and computer security positions, playing a private role outside of the spot-light.