[ISN] Interview with Marcus Ranum

InfoSec News isn at c4i.org
Fri Jun 24 01:24:26 EDT 2005

Forwarded from: security curmudgeon <jericho at attrition.org>

: http://www.securityfocus.com/columnists/334
: Federico Biancuzzi
: I am Marcus Ranum, Chief Security Officer of Tenable Network Security, 
: Inc., the producers of the Nessus vulnerability scanner and a suite of 
: security vulnerability management tools. I've been working in the 
: computer security arena for about 20 years, now, and was the designer 
: and implementor of a variety of security solutions in the past, 
: including firewalls, VPNs, and intrusion detection systems. I like to 
: think I've been around long enough and done a wide enough variety of 
: things that I've achieved a pretty good perspective on the trade-offs 
: inherent in security technology.

: Do you see any new, interesting, or promising path for network security?
: Nope! I see very little that's new and even less that's interesting.  
: The truth is that most of the problems in network security were fairly 
: well-understood by the late 1980's. What's happening is that the same 
: ideas keep cropping up over and over again in different forms. For 
: example, how many times are we going to re-invent the idea of 
: signature-based detection? Anti-virus, Intrusion detection, Intrusion 
: Prevention, Deep Packet Inspection - they all do the same thing: try to 
: enumerate all the bad things that can happen to a computer. It makes 
: more sense to try to enumerate the good things that a computer should be 
: allowed to do.
: I believe we're making zero progress in computer security, and have been 
: making zero progress for quite some time. 

I'd agree with Ranum for the most part, as would most security folks that 
have been around a while. However, it's hard to swallow these comments 
when Ranum starts out saying he works for a company that does the same 
thing as others have for a decade or more, works on products that all work 
on the principal he scorns, and continues to profit off these solutions 
without changing them up or truly innovating them, no?

: We recently saw a case where a hacker made significant penetrations into 
: some very secure systems using an attack against the trust relationships 
: between the different systems in a large research community. The hacker 
: compromised one researcher's account at a university and trapdoored the 
: researcher's SSH client. When the researcher logged into a system at 
: another research facility, the hacker now had the researchers' SSH 
: password and was able to penetrate the next facility, set up a 
: trapdoored SSH client there, and eventually he got the root account as 
: the administrator SSH'd into a local server. The hacker had several 
: months worth of fun and by the time it was all over, he had compromised 
: several hundred systems and gained administrative privileges in 5 
: different research facilities across the Internet. Having per-desktop 
: firewalls would not have helped at all in this type of scenario, 
: unfortunately, since once the hacker was into the first system, they 
: were operating entirely at an application level.

Recently? This describes attacks dating back to 1994 that I am personally 
aware of, longer before that with absolutely no doubt. Fifteen years 
later, all of the security products Ranum helped write, market and profit 
off of, still don't stop this kind of attack. What does that tell us?

: Whenever someone tells you that there's a novel, easy, solution to 
: security, it's either because they don't understand security or they're 
: trying to sell you something that isn't going to work.

  Tenable delivers several varieties of enterprise security technology in 
  one converged product suite offering. Each of these are easy to install, 
  operate, and configure for secure information sharing across the entire 
  enterprise. By combining many of these diverse technologies into one 
  platform, Tenable is changing the way IT and Security organizations 
  handle security for enterprise networks. 

: Truly, the only people who deserve a complete helping of blame are the 
: hackers. Let's not forget that they're the ones doing this to us.  
: They're the ones who are annoying an entire planet. They're the ones who 
: are costing us billions of dollars a year to secure our systems against 
: them. They're the ones who place their desire for fun ahead of everyone 
: on earth's desire for peace and [the] right to privacy.

Just as we have to blame criminals for the locks on our doors, the car 
alarms, building alarms, video cameras and everything else 'security'.. 

Just like those evil fucking hackers that gave us script kiddy exploits to 
help keep ourselves hidden while hacking unix boxen? Or monitor other 
user's activity and compromise *their* privacy? Do you remember cloak2.c 
and spy.c perchance?

 *      C L O A K
 *      Wrap yourself in a cloak of darkness (heh heh heh).
 *      Michael S. Baldwin,  Matthew Diaz  1982
 *      Marcus J. Ranum - 1983 - complete re-write and munging
 *      added more options, and all kinds of evil - including the
 *      ability to vanish from wtmp and acct as well as utmp. Added more
 *      error checking and useful command syntax. Now you can attribute
 *      all *YOUR* CPU usage to others when playing hack !!!

        Marcus Ranum 1985
        usage: spy &
        the program will exit cleanly when you log out.



More information about the ISN mailing list