This website does readability filtering of other pages. All styles, scripts, forms and ads are stripped. If you want your website excluded or have other feedback, use this form.

Interview with Marcus Ranum

success fail Apr MAY May 30 2006 2007 2011 27 captures 30 May 2007 - 04 May 2018 About this capture COLLECTED BY Organization: John Gilmore John Gilmore

Archive-It Partner Since: Apr, 2007
Organization Type: Other Institutions
Organization URL:[www.toad.com]

John Gilmore is a private individual who cares about archiving the Internet for future generations. He is the first individual to join the Archive-It program, as a partner with the Internet Archive, to collect and index documents of interest. Mr. Gilmore also co-founded the Electronic Frontier Foundation.

Collection: Free and Open Source Software A collection of free software and open source software. This includes the source code (instructions written by computer programmers) of thousands of computer programs that are part of various free software projects. These projects include the GNU Project to reimplement the Bell Labs UNIX system, the Linux kernel that reimplements the core operating program of a UNIX-like system, the Debian project which seeks to produce a fully free and consistent "distribution" (collection) of free software programs that work together well, the Ubuntu project which builds a commercially viable operating system based on the Debian project; the Fedore project which also builds a commercially viable computer operating system based on free software; and other projects. TIMESTAMPS Threat level definition

          (page 1 of 3 ) next  Interview with Marcus Ranum
Federico Biancuzzi, 2005-06-21

Could you introduce yourself?

I am Marcus Ranum, Chief Security Officer of Tenable Network Security, Inc., the producers of the Nessus vulnerability scanner and a suite of security vulnerability management tools. I've been working in the computer security arena for about 20 years, now, and was the designer and implementor of a variety of security solutions in the past, including firewalls, VPNs, and intrusion detection systems. I like to think I've been around long enough and done a wide enough variety of things that I've achieved a pretty good perspective on the trade-offs inherent in security technology.

I was the designer and implementor of the first commercial firewall product, the DEC SEAL, in 1990, and was an early innovator in proxy firewalls. In 1992 I wrote the TIS Firewall Toolkit and Gauntlet firewall, and set up and managed The President's email server (whitehouse.gov) during its first year of operation. I was founder and CEO of Network Flight Recorder, an early innovator in the IDS market, as well.

IPv6 should be the future. Do you see a more secure future then ?

No, IPv6 isn't going to solve anything.

IPv6 is just another network protocol, and if you look at where the problems are occurring in computer security, they're largely up in application space. From a security standpoint IPv6 adds very little that could offer an improvement: in return for the addition of some encryption and machine-to-machine authentication, we get a great deal of additional complexity. The additional complexity of the IPv6 stack will certainly prove to be the home of all kinds of fascinating new bugs and denial-of-service attacks. Also, don't forget that the current version of IP has encryption and authentication built in already - and that hasn't helped solve any problems at all.

Do you think that the problem is that we can't develop a secure protocol, or that people who define standards underestimate security threats ?

That's a profound question.

There are a lot of factors that combine to defeat security in up-front design. For example, there's basic human nature: the guys who are defining standards can't resist the urge to leave their personal stamp on the future - which results in standards that generally have been assembled based on a process of negotiation by committee. That doesn't really work. That's what gives us these insanely complex multi-optioned heavily layered standards that nobody really understands: every person on the committee had to lobby to get his or her favorite feature included. I don't think that process in any way helps bring about useful security standards. A case in point would be the IETF's terrible fruitless attempts to establish a standard on IPSEC (IP crypto) It only took something like 9 years. Those of us in the commercial world who needed solutions just went ahead and solved the problem for ourselves while the IETF kept arguing. If I recall correctly, when we added IP crypto to our Gauntlet firewall in 1993, it took my engineer on that feature about two months to come up with a complete proprietary implementation.

I don't think that the standards committees underestimate security threats; I just think they're too busy doing things that are more important to them -- like holding meetings and writing minutes, or whatever it is that they do all the time. The standards I've seen that try to address security all seem to be over-engineered and too late, while the standards that ignore security are usually rapidly adopted and full of security problems. It's a no-win situation either way.

Do you have any idea how to improve the way RFCs get created ?

I think the whole RFC process is obsolete.

In fact, it never would have worked at all, if not for the fact that in the early days, nobody cared about the Internet. So the IETF could have their meetings and write their RFCs in a vacuum that was free of commercial interest. Once the Internet became a commercial phenomenon, you can see that the IETF's productivity basically went to zero because the vendors were all trying to pack the working groups with their people to make sure that their existing implementations got selected as the standard. That's pretty much what happened with IPSEC, for example. IETF nearly converged on an IPSEC standard several times until Cisco and other large vendors began making rumblings about "we won't support this" and "we hold patents on that" to try to keep the market divided.

How would I improve it? I think if you look at what standards committees have become today, they're really little more than ratification bodies that rubber-stamp the de facto standard. Usually they tweak it a little bit to salve their pride but that is about it.

I think we could do away with the whole standards thing very easily if a few customers just exercised their economic power a little bit intelligently. Big customers have huge power, but they seem to have forgotten that. If the CTOs of 10 FORTUNE 500 firms announced that they were deferring further purchases of VPN products until they saw proof of interoperability, and open published specifications that weren't encumbered by patents or licenses, the whole market would standardize practically overnight. Because the truth is nobody cares about standards - everyone cares about what you can do with interoperable systems. If customers just openly refused to do business with vendors that produce non-interoperable systems, the whole thing would clear up really fast.

The RFC idea could be brought into the present day if it came from customers not vendors and dilettantes. How about if the CTO of AT&T; announced "We're going to standardize on XYZ's implementation of online telephony" and the CTOs of GE, Verizon, Ford Motor [Company], and Citibank announced "we're doing that, too." Game over. Big customers need to drive standards by not tolerating market-dividing games from vendors. Sitting back and waiting for vendors to come up with standards means that they can divide the market while they're waiting to see who becomes the dominant player. Then everyone has to standardize on the dominant player anyhow. Right now, the whole way we do standards is 100% backwards. Just flip it around and it might work a whole lot better.

Story continued on Page 2


Federico Biancuzzi is freelancer; in addition to SecurityFocus he also writes for ONLamp, LinuxDevCenter, and NewsForge.         (page 1 of 3 ) next  Expand all | Post comment Good! 2005-06-21
Anonymous Interview with Marcus Ranum 2005-06-21
Steve Lodin Interview with Marcus Ranum 2005-06-22
Anonymous (1 replies)Re: Interview with Marcus Ranum 2005-06-22
Marcus Ranum If the CTOs of 10 FORTUNE 500 firms .... 2005-06-22
Andrew Yeomans Interview with Marcus Ranum 2005-06-22
some guy in Central PA (1 replies)Re: Interview with Marcus Ranum 2005-06-22
Marcus Ranum (1 replies)Re: Re: Interview with Marcus Ranum 2005-06-24
Anonymous Interview with Marcus Ranum 2005-06-22
Anonymous Interview with Marcus Ranum 2005-06-22
MST Interview with Marcus Ranum 2005-06-22
Anonymous (1 replies)Re: Interview with Marcus Ranum 2005-06-22
Marcus Ranum (2 replies)Re: Re: Interview with Marcus Ranum 2005-06-22
Anonymous (1 replies)Re: Re: Re: Interview with Marcus Ranum 2005-06-23
Marcus Ranum (1 replies)Re: Re: Re: Re: Interview with Marcus Ranum 2005-06-26
whitehat Re: Re: Interview with Marcus Ranum 2005-06-22
Anonymous Blame 2005-06-22
Anonymous (1 replies)Re: Blame 2005-06-22
Marcus Ranum Interview with Marcus Ranum 2005-06-22
Anonymous What a genius! 2005-06-22
Pete (4 replies)Re: What a genius! 2005-06-22
Anonymous (1 replies)Re: Re: What a genius! 2005-06-27
Anonymous Re: What a genius! 2005-06-22
Marcus Ranum Re: What a genius! 2005-06-23
Anonymous Re: What a genius! 2005-06-23
Anonymous Interview with Marcus Ranum 2005-06-22
B Maurice Interview with Marcus Ranum 2005-06-22
John Interview with Marcus Ranum 2005-06-22
Anonymous (1 replies)Re: Interview with Marcus Ranum 2005-06-22
Marcus Ranum Interview with Marcus Ranum 2005-06-22
Anonymous Marcus, most companies have more than 150 nodes. 2005-06-22
Anonymous Interview with Marcus Ranum 2005-06-22
Anonymous Interview with Marcus Ranum 2005-06-22
Anonymous Interview with Marcus Ranum 2005-06-22
Tails (2 replies)Re: Interview with Marcus Ranum 2005-06-22
Anonymous Re: Interview with Marcus Ranum 2005-06-22
Marcus Ranum (7 replies)Re: Re: Interview with Marcus Ranum 2005-06-23
Anonymous Re: Re: Interview with Marcus Ranum 2005-06-23
Anonymous Re: Re: Interview with Marcus Ranum 2005-06-23
Kevin Fink Re: Re: Interview with Marcus Ranum 2005-06-23
Anonymous (1 replies)Re: Re: Re: Interview with Marcus Ranum 2006-07-14
Anonymous Re: Re: Interview with Marcus Ranum 2005-06-25
rabidpacketmonkey Re: Re: Interview with Marcus Ranum 2005-06-28
Norman Yarvin Re: Re: Interview with Marcus Ranum 2005-06-29
Tails Interview with Marcus Ranum 2005-06-22
trip (1 replies)Re: Interview with Marcus Ranum 2005-06-23
Marcus Ranum Good Article 2005-06-22
JC What A Total Jackass 2005-06-22
Anonymous (1 replies)Re: What A Total Jackass 2005-06-23
Marcus Ranum (1 replies)Re: Re: What A Total Jackass 2005-06-29
Anonymous Marcus Ranum blaming hackers???? 2005-06-22
pw (2 replies)Re: Marcus Ranum blaming hackers???? 2005-06-23
Marcus Ranum no, blame the victims 2005-06-24
Anonymous SE/Linux 2005-06-22
Luke Kenneth Casson Leighton (1 replies)Re: SE/Linux 2005-06-29
Anonymous Interview with Marcus Ranum 2005-06-23
Rastor5 Interview with Marcus Ranum 2005-06-23
Anonymous distribution of responsability is well put 2005-06-23
Martin-Éric Racine Interview with Marcus Ranum 2005-06-23
Anonymous Blame the Hackers? 2005-06-23
Bob (1 replies)Re: Blame the Hackers? 2005-06-29
Marcus Ranum Interview with Marcus Ranum 2005-06-23
JSF Interview with Marcus Ranum 2005-06-24
Phil Agcaoili his comments about the RFC process 2005-06-24
Reinier Post Interview with Marcus Ranum 2005-06-24
Anonymous (2 replies)Re: Interview with Marcus Ranum 2005-06-27
M. Andrew Molitor Re: Interview with Marcus Ranum 2005-06-28
Anonymous (1 replies)Re: Re: Interview with Marcus Ranum 2005-06-29
Anonymous Time will tell about "De-Perimeterisation" 2005-06-27
Andreas Interview with Marcus Ranum 2005-06-27
Anonymous (1 replies)Re: Interview with Marcus Ranum 2005-07-11
Anonymous 80% spyware & 15% keyloggers? 2005-06-28
Anonymous Interview with Marcus Ranum 2005-06-28
Anonymous (1 replies)Re: Interview with Marcus Ranum 2005-06-29
Marcus Ranum Interview with Marcus Ranum 2005-06-29
David Agressive network configuration 2005-07-05
Stephen T Interview with Marcus Ranum 2005-07-06
Anonymous Think about it... 2005-07-16
Johann van Duyn






Privacy Statement
Copyright 2007, SecurityFocus