Really nice interview and excelent answers from Marcus. He really seems to understand security ina very broad way (his answers reminds me Bruce S.)...

[ more ]  [ reply ]

I'm surprised Marcus didn't mention his "PS/2 as a security hardened platform" idea in the question about what can be done in the future. I remember sitting with Marcus 10 years ago in Sonoma at CMAD - has anomaly detection improved in those 10 years?
...

[ more ]  [ reply ]

Isn't there anything positive in the advancements of security technology? Why sell security software if you don't believe it works?...

[ more ]  [ reply ]

We are working on it! See the Jericho Forum - http://www.jerichoforum.org ...

[ more ]  [ reply ]

Overall the interview is very good, and provides MJR's position the State of Computer and Network Security. The conclusion of the article reeks or is similiar to the conclusions of his Script Kiddiez Suck and Script Kiddiez Suck 2.0 presentations. The points discussed are very valid, and overall v...

[ more ]  [ reply ]

slashdot away!!!!...

[ more ]  [ reply ]

Thank you Mr. Ranum for telling us what it's really like out there....

[ more ]  [ reply ]

Quite good answers from Mr. Barnum.

Except for the last paragraph.
Hackers don't deserve all the blame, I'm happy these
people are around and test the function of soft- and
hardware. They help us.
Blame should be loaded on criminals....

[ more ]  [ reply ]

The assessment of blame is quite accurate, but it points up the fact that knowing who to blame doesn't really solve any of our problems. A better question would be who is responsible for solving these problems? The hackers carry much of the blame, but naturally none of the responsibility. ...

[ more ]  [ reply ]

I work with intrusion detection systems of a physical kind rather than software, and on certain systems, particularly active infared there is a timing scheme. in this scheme, a transmitter and reciever has an alotted time to Tx and Rx. if a signal is recieved on a time not allotted for recieving, an...

[ more ]  [ reply ]

Well, Mr. Ranum seems to really know his stuff! Why, according to him everything is broken and there's no solution but to write -perfect- hardware and software! Good thing he's not trying to sell some of this admittedly broken software, or he might be a hypocrite.

Also, bravo on placing the blame...

[ more ]  [ reply ]

Wow. I mean here I thought I had a good handle on things but he's got a few ideas in here I hadn't thought about....

[ more ]  [ reply ]

Ranum: "Sometimes, patience is a terrific strategy. Wait and see what happens to the early adopters. If they're all getting hacked to pieces or spending tons of money on patches and upgrades and fixes to the stuff they bought - then it's not ready, yet."

So the hackers are all to blame, but its ...

[ more ]  [ reply ]

Marcus states that he was in charge of the President's email system during the early days. Doesn't it strike anyone as laughable that this guy refers to himself as a security expert when the early email system for whitehouse.gov allowed open SMTP relays?...

[ more ]  [ reply ]

So if there were no hackers we would be secure? I think you need hackers to motivate developement of better security.The ultimate blame really lies at the feet of software companies. ...

[ more ]  [ reply ]

Marcus,

With regard to your observations on "default deny" access policies, most corporations have many times the number of hosts you described in your example - and clearly you're aware of this. Managing ACLs are cumbersome for even a small network.

In America, where I have experience, there...

[ more ]  [ reply ]

Marcus Ranum: "Truly, the only people who deserve a complete helping of blame are the hackers."

Whoah! The group of 'hackers' is described as a big grey mass that makes people's lives difficult and costly.

Really, what do you expect? There are always people out there with ill will. Some do it...

[ more ]  [ reply ]

I think the frustration with hackers stems from the fact that most hackers can't wait to tell you how smart they are that they found one hole in hundreds of applications and thousands of ports. I think the respect should go to the people who find all the holes and plug them. Tell me which is more ...

[ more ]  [ reply ]

While I agree with the majority of the document I disagree with the last part. I'm sorry without hackers, whitehat or blackhat, we would never find out about the numerious security threats out there....

[ more ]  [ reply ]

I just read the quote on slashdot. Blaming hackers for all the world IT trouble. Heh.
In my humble opinion I'd rather 10000 teenagers be accessing system for fun than a foreign government trying to take down a powergrid or major routes the government uses for security communication. ...

[ more ]  [ reply ]

Very good explanation of a lot of the problems out there Marcus. Most people really do not understand all the different problems facing us today in relation to security. There is no one solution to any of this, and if there was, it would probably be too annoying to use. You have to make concessio...

[ more ]  [ reply ]

Marcus seems to have just enough blame to give everyone a little of their own. Not surprisingly, the one group of people who deserve the most blame get the least - security people. Thats right, security people. The loyal citizens of Security are always crapping in your baseball cap about how this...

[ more ]  [ reply ]

I have been in the security/hacking scene for over 15 years now. Its strikes me as odd to hear Ranum blasting hackers for the problems with security. I can recall when Ranum WAS one of the hackers posting exploit code, and hanging out with the underground scene. In a sense, Marcus is one of the g...

[ more ]  [ reply ]

selinux is still in development (actually, the tools and the selinux policy is most in development).

_that_ having been said, selinux has the ability to place some restrictions on network access on a per-user+per-program basis.

it is therefore my belief that a heavily modified version of "fwbu...

[ more ]  [ reply ]

So this is a comment on society in general? Yes. Immoral people are to blame for all of society's woes. This is OK? no. yes. They say war increase technological advance. So if this is viewed as a war between establishment and hackers, then can we say that many technological advances are due to hacke...

[ more ]  [ reply ]

I think your the last comment about limiting access to all hosts to only those destinations they need is an idea worth pursuing, at least within some defined perimiter Why not meld network mapping tools to acl's and firewall rulesets?

Get your baseline for each user as he enters the network an...

[ more ]  [ reply ]

The last part of the interview summarizes what I've been telling everyone for a number of years: everyone is partly responsible for the current mess we live in, from the engineers all the way to the end-users.

In a nutshell, practicing safe networking boils down to:
- excellent engineering at th...

[ more ]  [ reply ]

Great interview Marc. p.s. I also really enjoy your columns in Information Security Magazine. DOn't quit writing.

:-)...

[ more ]  [ reply ]

Marcus,

Great article, right up to the very end where the idiotic point is made that Hackers are to blame for all the problems. Yep, go right ahead and just Shoot the Messenger!

The problems lie squarely on the shoulders of the software producers, be they OS or App producers.

Lets say tha...

[ more ]  [ reply ]

In 1999, 2001 and 2002, I personally sat on panel discussions (one hosted by Marcus Ranum) where I said, "Intrusion Detection can't work, won't work and will never work." I was nearly laughed off stage when making this claim. Marcus was - at the time - still the CTO of Network Flight Recorder.

I ...

[ more ]  [ reply ]

Marcus,

I completely agree with you.

I've participated in several standards groups, most recently the CAPWAP review. It's so blatantly obvious that vendors are jockeying for their implementation despite the more ubiquitous and widely accepted solution. The constant reinventing of the wheel an...

[ more ]  [ reply ]

I do not understand his comments about the RFC process being obsolete.

To quote: "I think if you look at what standards committees have become today, they're really little more than ratification bodies that rubber-stamp the de facto standard. Usually they tweak it a little bit to salve their prid...

[ more ]  [ reply ]

Why are you always talking about what you did in 1990 with the DEC firewall? That is trailing edge code at this point and before Network Associates sold the product to Secure Computing, they couldn't get anyone to buy it. Since 1990 and today, various companies have developed firewalls far more inno...

[ more ]  [ reply ]

It's usefull for smaller environments, where they use unmanageable switches. No firewall will really know, what the client-pc is doing, and so, any hole in the wall will be used. http is allowed? And you have to use a proxy? Doesn't matter, our next evil friend will be able to send his packets out o...

[ more ]  [ reply ]

"They're the ones who are costing us billions of dollars a year to secure our systems against them."

Does this mean that if hacking wasn't an widespread activity, the systems wouldn't be secured? That truly sounds like a security joke......

[ more ]  [ reply ]

"And the results show: 80% of corporate desktops are infected with spyware, 15% of them are infected with keystroke loggers."

Where does this statistic come from?...

[ more ]  [ reply ]

[quote="Marcus Ranum"]
Truly, the only people who deserve a complete helping of blame are the hackers. Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems ag...

[ more ]  [ reply ]

I, for one, agree with Marcus. Alot of people are complaining about his last paragraph, but for me that ending was a pleasure to see. All of the so-called hackers I've talked to speak of hacking as a sport, an activity of curiosity, and so on. But it comes down to what the person is actually doin...

[ more ]  [ reply ]

I have seen tools out there to try and address this issue. A french company had a nice cross platform firewall policy tool that could take central policies and generate config files many fire walls and integrated firewall modules. Add on the necessary policy provisioning piece so we can track wh...

[ more ]  [ reply ]

Good is a gross understatement. This is the best article I have read to date about the current state of security....

[ more ]  [ reply ]

MJR has been around the block a few times and has earned the right to speak out, smack down and criticize the rest of us.

There is much wisdom in what he proposes, even if it's not explicitly stated in the interview; take for example the idea that client machines should not be allowed to talk to ...

[ more ]  [ reply ]

In the large companies I've worked for, "only allow the good" is indeed taken to heart. The trouble is that the best and safest definition of "the good" for security personnel is "nothing at all". There is no protocol that is *provably* not usable by a cracker (people have tunneled Telnet over DNS...

[ more ]  [ reply ]

I actually read the entire article! Very insightful....

[ more ]  [ reply ]