Most equestrians ride English or Western style -- Marcus Ranum prefers Western-Medieval. The security industry icon best known for his pioneering work in firewalls will start training this spring to reach his goal of shooting a Mongolian recurve bow at a target while on horseback. But first he has to desensitize his horse to the loud snapping sound the bow makes.
"I have no idea if this is going to work," says the 45-year-old Ranum, who as a kid participated in Medieval reenactments, and boasts of being one of the first of his friends to score the Dungeons & Dragons series of books back then.
Ranum fell into horses in much the same way he landed in security, not by design. Although he ultimately made a name for himself in firewall and intrusion detection technology, Ranum says security -- like horses -- was never really his thing. "My interest was in systems administration and making things work, and security was a side effect of that," says Ranum, who lives in a self-described "Ted Kaczynski-style compound" in rural Pennsylvania with his horses, dogs, and cats. "I considered it a sideline. But unfortunately, it became my focus."
He doesn't take credit for inventing the firewall -- only for synthesizing and streamlining the concepts of a firewall into the DEC SEAL, which he did while working on DEC's internal Internet gateway. "This whole business of calling me the inventor is wrong... It was some marketing BS," says Ranum, who designed and deployed the DEC SEAL in 1990, which is considered by some to be the first commercial firewall.
"The DEC SEAL was interesting because it had a part number and a manual and corporation behind it," he says, which at the time was unique.
He's currently the chief security officer for Tenable Security, where he acts as "advice-giver" for Tenable developers and helps teach customers how to use the company's Nessus vulnerability scanner. But he says overall, he sees the value of his work in security as ultimately short-term: "Computer security is going to disappear after a while," he says.
Ranum has found a kindred spirit in Bruce Schneier on this fatalistic view of the security industry -- Schneier is well-known for his controversial argument that security shouldn't be a separate market and instead be incorporated into IT products. The two regularly stage point/counterpoint columns where they debate hot industry topics. "Bruce and I agree on a lot of stuff," Ranum says. "Sometimes we have to come up with stuff to disagree on" for our column, he says. (See Schneier On Schneier.)
But it's a different story when it comes to vulnerability researchers: Ranum is vocal about his distaste for their work. "If they are so freaking smart, they should be writing firewall and free executable software and giving it away," he says. He argues that vulnerability research only hurts software developers and has basically twisted the industry's view on security: "They've managed to convince customers that they are supposed to be grateful," he says. "But it's [vulnerability research] making software vastly more expensive" to buy, he says.
Ranum says hacking never appealed to him. The closest he ever got to doing some hacking of his own, he says, was when he was an undergraduate at Johns Hopkins University and tweaked the Cloak program to clean up his logs and cover his tracks when he played Rogue on the university's VAX machines. "That way I could disappear when I was playing games on the VAX," he says. "That's hard to say I was hacking since I didn't have to break in to" use the machine, he says.
"Even then -- as now -- I never thought hacking was very interesting," he says.
Ranum says security really boils down to this: "Security is very simple: Don't do something stupid and you should be just fine," he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.