Ranum's Wild Security Ride

Marcus Ranum dispels firewall myths, revives Medieval horsemanship, and rants about researchers

Most equestrians ride English or Western style -- Marcus Ranum prefers Western-Medieval. The security industry icon best known for his pioneering work in firewalls will start training this spring to reach his goal of shooting a Mongolian recurve bow at a target while on horseback. But first he has to desensitize his horse to the loud snapping sound the bow makes.

Figure 1:

"I have no idea if this is going to work," says the 45-year-old Ranum, who as a kid participated in Medieval reenactments, and boasts of being one of the first of his friends to score the Dungeons & Dragons series of books back then.

Ranum fell into horses in much the same way he landed in security, not by design. Although he ultimately made a name for himself in firewall and intrusion detection technology, Ranum says security -- like horses -- was never really his thing. "My interest was in systems administration and making things work, and security was a side effect of that," says Ranum, who lives in a self-described "Ted Kaczynski-style compound" in rural Pennsylvania with his horses, dogs, and cats. "I considered it a sideline. But unfortunately, it became my focus."

He doesn't take credit for inventing the firewall -- only for synthesizing and streamlining the concepts of a firewall into the DEC SEAL, which he did while working on DEC's internal Internet gateway. "This whole business of calling me the inventor is wrong... It was some marketing BS," says Ranum, who designed and deployed the DEC SEAL in 1990, which is considered by some to be the first commercial firewall.

"The DEC SEAL was interesting because it had a part number and a manual and corporation behind it," he says, which at the time was unique.

He's currently the chief security officer for Tenable Security, where he acts as "advice-giver" for Tenable developers and helps teach customers how to use the company's Nessus vulnerability scanner. But he says overall, he sees the value of his work in security as ultimately short-term: "Computer security is going to disappear after a while," he says.

Ranum has found a kindred spirit in Bruce Schneier on this fatalistic view of the security industry -- Schneier is well-known for his controversial argument that security shouldn't be a separate market and instead be incorporated into IT products. The two regularly stage point/counterpoint columns where they debate hot industry topics. "Bruce and I agree on a lot of stuff," Ranum says. "Sometimes we have to come up with stuff to disagree on" for our column, he says. (See Schneier On Schneier.)

But it's a different story when it comes to vulnerability researchers: Ranum is vocal about his distaste for their work. "If they are so freaking smart, they should be writing firewall and free executable software and giving it away," he says. He argues that vulnerability research only hurts software developers and has basically twisted the industry's view on security: "They've managed to convince customers that they are supposed to be grateful," he says. "But it's [vulnerability research] making software vastly more expensive" to buy, he says.

Ranum says hacking never appealed to him. The closest he ever got to doing some hacking of his own, he says, was when he was an undergraduate at Johns Hopkins University and tweaked the Cloak program to clean up his logs and cover his tracks when he played Rogue on the university's VAX machines. "That way I could disappear when I was playing games on the VAX," he says. "That's hard to say I was hacking since I didn't have to break in to" use the machine, he says.

"Even then -- as now -- I never thought hacking was very interesting," he says.

Ranum says security really boils down to this: "Security is very simple: Don't do something stupid and you should be just fine," he says.

Personality Bytes

  • What scares Ranum most: "There's a lot of outsourcing happening, and we've de-skilled our federal workforce. That scares the hell out of me. We should be worried about how we spend our money on the best and brightest in the government."

    • On cyberwarfare: "How can you dare talk about fighting cyberwarfare when college kids in China can penetrate the Defense Department network like Swiss cheese?"

    • What most people don't know about him: "I'd rather be an artist."

    • Biggest pet peeve: "Intellectual dishonesty."

    • Biggest regret: "I wish I had patented some of my work."

    • Favorite hangout: "Home."

    • Comfort food: "Tapioca pudding."

    • Music: "I don’t download music. I buy it and rip CDs. The latest thing I bought was Robert Plant and Alison Krause's [CD]."

    • Wheels: "A '74 Belarus 547 tractor, and a GMC Suburban."

    • PC or Mac: "I hate all of them... I have an eight-year-old laptop."

    • What Ranum would like to be most known for: "Telling the truth."

      Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights