OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[ISN] Ranum's Wild Security Ride

From: InfoSec News (alertsinfosecnews.org)
Date: Fri Dec 07 2007 - 01:13:04 CST

http://www.darkreading.com/document.asp?doc_id=140640

By Kelly Jackson Higgins
Senior Editor
Dark Reading
December 5, 2007

Most equestrians ride English or Western style -- Marcus Ranum prefers
Western-Medieval. The security industry icon best known for his
pioneering work in firewalls will start training this spring to reach
his goal of shooting a Mongolian recurve bow at a target while on
horseback. But first he has to desensitize his horse to the loud
snapping sound the bow makes.

"I have no idea if this is going to work," says the 45-year-old Ranum,
who as a kid participated in Medieval reenactments, and boasts of being
one of the first of his friends to score the Dungeons & Dragons series
of books back then.

Ranum fell into horses in much the same way he landed in security, not
by design. Although he ultimately made a name for himself in firewall
and intrusion detection technology, Ranum says security -- like horses
-- was never really his thing. "My interest was in systems
administration and making things work, and security was a side effect of
that," says Ranum, who lives in a self-described "Ted Kaczynski-style
compound" in rural Pennsylvania with his horses, dogs, and cats. "I
considered it a sideline. But unfortunately, it became my focus."

He doesn't take credit for inventing the firewall -- only for
synthesizing and streamlining the concepts of a firewall into the DEC
SEAL, which he did while working on DEC's internal Internet gateway.
"This whole business of calling me the inventor is wrong... It was some
marketing BS," says Ranum, who designed and deployed the DEC SEAL in
1990, which is considered by some to be the first commercial firewall.

"The DEC SEAL was interesting because it had a part number and a manual
and corporation behind it," he says, which at the time was unique.

He's currently the chief security officer for Tenable Security, where he
acts as "advice-giver" for Tenable developers and helps teach customers
how to use the company's Nessus vulnerability scanner. But he says
overall, he sees the value of his work in security as ultimately
short-term: "Computer security is going to disappear after a while," he
says.

Ranum has found a kindred spirit in Bruce Schneier on this fatalistic
view of the security industry -- Schneier is well-known for his
controversial view that security shouldn't be a separate market and
instead be incorporated into IT products. The two regularly stage
point/counterpoint columns where they debate hot industry topics. "Bruce
and I agree on a lot of stuff," Ranum says. "Sometimes we have to come
up with stuff to disagree on" for our column, he says. (See Schneier On
Schneier.)

But it's a different story when it comes to vulnerability researchers:
Ranum is vocal about his distaste for their work. "If they are so
freaking smart, they should be writing firewall and free executable
software and giving it away," he says. He argues that vulnerability
research only hurts software developers and has basically twisted the
industry's view on security: "They've managed to convince customers that
they are supposed to be grateful," he says. "But it's [vulnerability
research] making software vastly more expensive" to buy, he says.

Ranum says hacking never appealed to him. The closest he ever got to
doing some hacking of his own, he says, was when he was an undergraduate
at Johns Hopkins University and tweaked the Cloak program to clean up
his logs and cover his tracks when he played Rogue on the university's
VAX machines. "That way I could disappear when I was playing games on
the VAX," he says. "That's hard to say I was hacking since I didn't have
to break in to" use the machine, he says.

"Even then -- as now -- I never thought hacking was very interesting,"
he says.

Ranum says security really boils down to this: "Security is very simple:
Don't do something stupid and you should be just fine," he says.

Personality Bytes

* What scares Ranum most: "There's a lot of outsourcing happening, and
  we've de-skilled our federal workforce. That scares the hell out of
  me. We should be worried about how we spend our money on the best and
  brightest in the government."

* On cyberwarfare: "How can you dare talk about fighting cyberwarfare
  when college kids in China can penetrate the Defense Department
  network like Swiss cheese?"

* What most people don't know about him: "I'd rather be an artist."

* Biggest pet peeve: "Intellectual dishonesty."

* Biggest regret: "I wish I had patented some of my work."

* Favorite hangout: "Home."

* Comfort food: "Tapioca pudding."

* Music: "I dont download music. I buy it and rip CDs. The latest thing
  I bought was Robert Plant and Alison Krause's [CD]."

* Wheels: "A '74 Belarus 547 tractor, and a GMC Suburban."

* PC or Mac: "I hate all of them... I have an eight-year-old laptop."

* What Ranum would like to be most known for: "Telling the truth."

__________________________________________________________________
Visit InfoSec News
http://www.infosecnews.org/