[ISN] Ranum's Wild Security Ride

From: InfoSec News (alerts@private)
Date: Thu Dec 06 2007 - 23:13:04 PST


http://www.darkreading.com/document.asp?doc_id=140640

By Kelly Jackson Higgins
Senior Editor
Dark Reading
December 5, 2007

Most equestrians ride English or Western style -- Marcus Ranum prefers 
Western-Medieval. The security industry icon best known for his 
pioneering work in firewalls will start training this spring to reach 
his goal of shooting a Mongolian recurve bow at a target while on 
horseback. But first he has to desensitize his horse to the loud 
snapping sound the bow makes.

"I have no idea if this is going to work," says the 45-year-old Ranum, 
who as a kid participated in Medieval reenactments, and boasts of being 
one of the first of his friends to score the Dungeons & Dragons series 
of books back then.

Ranum fell into horses in much the same way he landed in security, not 
by design. Although he ultimately made a name for himself in firewall 
and intrusion detection technology, Ranum says security -- like horses 
-- was never really his thing. "My interest was in systems 
administration and making things work, and security was a side effect of 
that," says Ranum, who lives in a self-described "Ted Kaczynski-style 
compound" in rural Pennsylvania with his horses, dogs, and cats. "I 
considered it a sideline. But unfortunately, it became my focus."

He doesn't take credit for inventing the firewall -- only for 
synthesizing and streamlining the concepts of a firewall into the DEC 
SEAL, which he did while working on DEC's internal Internet gateway. 
"This whole business of calling me the inventor is wrong... It was some 
marketing BS," says Ranum, who designed and deployed the DEC SEAL in 
1990, which is considered by some to be the first commercial firewall.

"The DEC SEAL was interesting because it had a part number and a manual 
and corporation behind it," he says, which at the time was unique.

He's currently the chief security officer for Tenable Security, where he 
acts as "advice-giver" for Tenable developers and helps teach customers 
how to use the company's Nessus vulnerability scanner. But he says 
overall, he sees the value of his work in security as ultimately 
short-term: "Computer security is going to disappear after a while," he 
says.

Ranum has found a kindred spirit in Bruce Schneier on this fatalistic 
view of the security industry -- Schneier is well-known for his 
controversial view that security shouldn't be a separate market and 
instead be incorporated into IT products. The two regularly stage 
point/counterpoint columns where they debate hot industry topics. "Bruce 
and I agree on a lot of stuff," Ranum says. "Sometimes we have to come 
up with stuff to disagree on" for our column, he says. (See Schneier On 
Schneier.)

But it's a different story when it comes to vulnerability researchers: 
Ranum is vocal about his distaste for their work. "If they are so 
freaking smart, they should be writing firewall and free executable 
software and giving it away," he says. He argues that vulnerability 
research only hurts software developers and has basically twisted the 
industry's view on security: "They've managed to convince customers that 
they are supposed to be grateful," he says. "But it's [vulnerability 
research] making software vastly more expensive" to buy, he says.

Ranum says hacking never appealed to him. The closest he ever got to 
doing some hacking of his own, he says, was when he was an undergraduate 
at Johns Hopkins University and tweaked the Cloak program to clean up 
his logs and cover his tracks when he played Rogue on the university's 
VAX machines. "That way I could disappear when I was playing games on 
the VAX," he says. "That's hard to say I was hacking since I didn't have 
to break in to" use the machine, he says.

"Even then -- as now -- I never thought hacking was very interesting," 
he says.

Ranum says security really boils down to this: "Security is very simple: 
Don't do something stupid and you should be just fine," he says.


Personality Bytes

* What scares Ranum most: "There's a lot of outsourcing happening, and 
  we've de-skilled our federal workforce. That scares the hell out of 
  me. We should be worried about how we spend our money on the best and 
  brightest in the government."

* On cyberwarfare: "How can you dare talk about fighting cyberwarfare 
  when college kids in China can penetrate the Defense Department 
  network like Swiss cheese?"

* What most people don't know about him: "I'd rather be an artist."

* Biggest pet peeve: "Intellectual dishonesty."

* Biggest regret: "I wish I had patented some of my work."

* Favorite hangout: "Home."

* Comfort food: "Tapioca pudding."

* Music: "I dont download music. I buy it and rip CDs. The latest thing 
  I bought was Robert Plant and Alison Krause's [CD]."

* Wheels: "A '74 Belarus 547 tractor, and a GMC Suburban."

* PC or Mac: "I hate all of them... I have an eight-year-old laptop."

* What Ranum would like to be most known for: "Telling the truth."


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Thu Dec 06 2007 - 23:21:31 PST