SATAN's child, erstwhile hacker, business entrepreneur

November 2001

Judy Mottl/Information Security Magazine

John Flowers has SATAN to thank for the inspiration behind IP360, the intrusion prevention system he created in 1998. Not Satan the antichrist, but SATAN (Security Administrator Tool for Analyzing Networks), the remote systems scanner developed by Dan Farmer in the early 1990s.

When Flowers first heard about SATAN in 1992, the 31-year-old founder and chief scientist of nCircle Network Security ( assumed it marked the start of an era of rapid innovation in security monitoring. For six years, he waited for someone to take the next logical step: a distributed, centrally managed version of SATAN. By 1998, he got tired of waiting and took the bull by the horns.

SATAN was jointly developed by Dan Farmer and Wietse Venema and released in February 1995

"It's one of the reasons I started [nCircle]," Flowers says. "I looked at [SATAN] and I could only imagine what people were going to do with it. I could see it being distributed and creating this wide global network infrastructure--a security skeleton on top of the network that watches and monitors everything. I thought companies would now be able to run networks according to business requirements without having to worry about hackers."

Flowers knows about the hacker mentality--his critics might say a little too well. An early member of the WELL and an active BBS user, he was 13 when he discovered how to "phone phreak" (use public phone lines for free calls and 'Net access). After the FBI caught up to him, he drew a six-month juvenile detention stint for wire fraud.

The term "phone phreak" is used to describe the study, experimentation and exploitation of telephones, telephone equipment, and systems connected to the Public Switched Telephone Network (PSTN). Using public phone lines for free phone calls and computer network access is an unfortunate criminal side-effect of the hobby.

After an 18-month self-imposed exile, Flowers returned to computers, though this time his interests were thwarting intrusions, not perpetrating them; and protecting systems, not breaking them. But that doesn't mean he has completely exorcised all his "dark" interests. Flowers has the dubious distinction of taking first place in the Capture the Flag intrusion contests at DefCon 1 and 2, and second place at DefCon 3.

The first CTF contest was held at DefCon 4. A lone gunman player going under the handle AJ Reznor won the innagural CTF contest, as well as the second one, held during DefCon 5.

These skills came in handy at Hiverworld Inc., a privately held Berkeley, Calif., network risk management firm he started in 1998. The firm offered security audits and penetration testing services, essentially breaking into client systems to determine vulnerabilities, and then plugging the holes.

The name Hiverworld reflects Flowers's longtime attraction to word play. Spelled as "Hive R World," it means "turning the world into a giant hive, where everything communicates." Spelled as "Hiverworld," hiver becomes a French world meaning winter, which Flowers says relates to the "white hat" character in the cyberspace/science fiction novel Neuromancer, by William Gibson.

There is no "white hat" character in Neuromancer, although the "winter" reference probably refers to the character named "Wintermute" from the novel.

Earlier this year, Flowers and his team decided it was time to throw more support behind the fledgling IP360. They hired a new executive team and reached out to venture capitalists. In August, nCircle garnered $11.3 million in VC, most of which will used for IP360 development. At the urging of the underwriters, the firm was renamed nCircle Network Security. Unlike Hiverworld, the nCircle name doesn't have an interesting story behind it (except, perhaps, that Flowers insisted they avoid acronyms at all costs).

nCircle was originally started as Hiverworld and was later renamed.

Officially released in April, IP360 allows distributed systems to communicate and share information with each other using a common language via a browser-based interface. It identifies the operating system and applications on each network device, and based on that, scans for vulnerabilities that affect the device. By continuously integrating the discovery information into the systems' intrusion sensors, IP360 limits alerts to attacks that are targeting actual vulnerabilities, thereby reducing the number of false positives.

nCircle's holistic approach is "cutting edge," says Olivia Golden, VP of equity research for Bear, Stearns & Co., based in New York.

"We're seeing integration of products, a hybrid approach, as a much more intelligent security approach, since it takes into account the data of vulnerabilities and the IDS portion," says Golden, adding that the majority of IDS vendors are just starting to "leech on" to the idea. For instance, this spring Internet Security Systems ( launched its Diamond strategy, which aims to integrate its host-based and network-based IDS solutions. Symantec ( recently announced plans to offer an integrated host-based IDS and vulnerability assessment.

Describing nCircle as a "pioneer" in next-generation network security, Golden lauded IP360's cost effectiveness, since it leverages a customer's existing IT staff to manage network security.

Flowers has mapped out a four-year plan full of enhancements to IP360. The focus, in the future, is on managing corporate policy.

"Every company has a different policy: one says you can't run Solaris, another says you can't run Windows. Those are the things that make a business unique," Flowers says. "It's corporate policy that dictates that ABC Corp., as a vendor, can't read a business patent file, but yet it's not a security issue as they may have access to that server. It's those policy decisions that we're going to focus on."

"Network security is in its infancy," he adds. "We still haven't figured out how to protect our network much less the policy aspect of that network. So I'm trying to take that next step. It's always been about trying to protect every aspect of the corporate network, especially the details that make the network unique."

main page ATTRITION feedback