Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

07:38 AM
Connect Directly

Ranum's Wild Security Ride

Marcus Ranum dispels firewall myths, revives Medieval horsemanship, and rants about researchers

Most equestrians ride English or Western style -- Marcus Ranum prefers Western-Medieval. The security industry icon best known for his pioneering work in firewalls will start training this spring to reach his goal of shooting a Mongolian recurve bow at a target while on horseback. But first he has to desensitize his horse to the loud snapping sound the bow makes.

Figure 1:

"I have no idea if this is going to work," says the 45-year-old Ranum, who as a kid participated in Medieval reenactments, and boasts of being one of the first of his friends to score the Dungeons & Dragons series of books back then.

Ranum fell into horses in much the same way he landed in security, not by design. Although he ultimately made a name for himself in firewall and intrusion detection technology, Ranum says security -- like horses -- was never really his thing. "My interest was in systems administration and making things work, and security was a side effect of that," says Ranum, who lives in a self-described "Ted Kaczynski-style compound" in rural Pennsylvania with his horses, dogs, and cats. "I considered it a sideline. But unfortunately, it became my focus."

He doesn't take credit for inventing the firewall -- only for synthesizing and streamlining the concepts of a firewall into the DEC SEAL, which he did while working on DEC's internal Internet gateway. "This whole business of calling me the inventor is wrong... It was some marketing BS," says Ranum, who designed and deployed the DEC SEAL in 1990, which is considered by some to be the first commercial firewall.

"The DEC SEAL was interesting because it had a part number and a manual and corporation behind it," he says, which at the time was unique.

He's currently the chief security officer for Tenable Security, where he acts as "advice-giver" for Tenable developers and helps teach customers how to use the company's Nessus vulnerability scanner. But he says overall, he sees the value of his work in security as ultimately short-term: "Computer security is going to disappear after a while," he says.

Ranum has found a kindred spirit in Bruce Schneier on this fatalistic view of the security industry -- Schneier is well-known for his controversial argument that security shouldn't be a separate market and instead be incorporated into IT products. The two regularly stage point/counterpoint columns where they debate hot industry topics. "Bruce and I agree on a lot of stuff," Ranum says. "Sometimes we have to come up with stuff to disagree on" for our column, he says. (See Schneier On Schneier.)

But it's a different story when it comes to vulnerability researchers: Ranum is vocal about his distaste for their work. "If they are so freaking smart, they should be writing firewall and free executable software and giving it away," he says. He argues that vulnerability research only hurts software developers and has basically twisted the industry's view on security: "They've managed to convince customers that they are supposed to be grateful," he says. "But it's [vulnerability research] making software vastly more expensive" to buy, he says.

Ranum says hacking never appealed to him. The closest he ever got to doing some hacking of his own, he says, was when he was an undergraduate at Johns Hopkins University and tweaked the Cloak program to clean up his logs and cover his tracks when he played Rogue on the university's VAX machines. "That way I could disappear when I was playing games on the VAX," he says. "That's hard to say I was hacking since I didn't have to break in to" use the machine, he says.

"Even then -- as now -- I never thought hacking was very interesting," he says.

Ranum says security really boils down to this: "Security is very simple: Don't do something stupid and you should be just fine," he says.

Personality Bytes

  • What scares Ranum most: "There's a lot of outsourcing happening, and we've de-skilled our federal workforce. That scares the hell out of me. We should be worried about how we spend our money on the best and brightest in the government."

  • On cyberwarfare: "How can you dare talk about fighting cyberwarfare when college kids in China can penetrate the Defense Department network like Swiss cheese?"

  • What most people don't know about him: "I'd rather be an artist."

  • Biggest pet peeve: "Intellectual dishonesty."

  • Biggest regret: "I wish I had patented some of my work."

  • Favorite hangout: "Home."

  • Comfort food: "Tapioca pudding."

  • Music: "I don’t download music. I buy it and rip CDs. The latest thing I bought was Robert Plant and Alison Krause's [CD]."

  • Wheels: "A '74 Belarus 547 tractor, and a GMC Suburban."

  • PC or Mac: "I hate all of them... I have an eight-year-old laptop."

  • What Ranum would like to be most known for: "Telling the truth."

    Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/14/2020
    Lock-Pickers Face an Uncertain Future Online
    Seth Rosenblatt, Contributing Writer,  8/10/2020
    Hacking It as a CISO: Advice for Security Leadership
    Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
    In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-08-14
    Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
    PUBLISHED: 2020-08-14
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
    PUBLISHED: 2020-08-14
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
    PUBLISHED: 2020-08-14
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
    PUBLISHED: 2020-08-14
    Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.