Show 111 – An Interview with Marcus Ranum

June 30, 2015

Has software security actually gotten worse? On the 111th episode of The Silver Bullet Security Podcast, Gary talks with Marcus Ranum, Chief Security Officer of Tenable Network Security. He is the inventor of both the proxy firewall and early-advanced intrusion systems. Gary and Marcus discuss the current state of software security, firewalls, de-perimeterization, and hackers. Marcus also shares how he stays on the cutting edge of security and who his biggest influences are. Gary closes the show with an unexpected “dirty, brilliant trick."

Listen to Podcast


Gary McGraw: This is the 111th in a series of monthly interviews with security gurus and I’m super pleased to have back with me again, Marcus Ranum. Marcus Ranum is the Chief Security Officer of Tenable Network Security. He is the inventor of both the proxy firewall and early-advanced intrusion systems. He’s also an excellent photographer, a marksman and a closet romantic. After a decade in computer security, Marcus remains one of the sanest voices in the field. Marcus lives in the Hinterlands of Morrisdale, PA, on a big, giant property. Thanks for joining us today, Marcus.

Marcus Ranum: Hey, thanks for outing me.

McGraw: [laughs] No problem. It’s already on Wikipedia. So, let’s just dive right in. This firewall thing you helped to invent years ago is still in widespread use. Is that good?

Ranum: Absolutely. For any given us vs. any given them, being able to divide us and them is a good idea. Current crop of firewalls formally known as next-generation firewalls now known as current-generation firewalls are basically taking advantage of gigantic amounts of pre-computing that’s available and they can do some amazing analysis. So it’s still a useful way of dividing things apart.

I run into people all the time that say, “The firewall is dead.” What I usually say to those guys is, “two words: DNS and ARP.” And if they don’t just shut up after that, I know I’m dealing with a newbie. “

McGraw: Well, the ARP-attack stuff I guess most people didn’t live through. It was funny to see that resurface when WiFi first came out.

So let’s talk about perimeters. There used to be more perimeters years ago than there are now. Because we have much more distributed architectures, our applications are distributed, we have geographically distributed companies ( multi-national companies), and the notion of perimeter gets harder and harder to distinguish and use.

Ranum: Yes, so what you’re saying is, “Security has gotten worse.” I agree.

McGraw: Well it’s certainly gotten harder if you only take a perimeter view, which I know that you don’t.

Ranum: No, I don’t. But it’s gotten harder and it’s gotten worse because people persist in doing really stupid things. They persist in fielding applications that literally do not understand how to separate our data from their data. And if you don’t understand how to separate my network from your network, I don’t have much of a network, do I? That’s really the problem. The last 15 years of computer security have been an exercise in people believing that you can do something fundamentally dangerous with safety, and that’s just dumb.

McGraw: So, do you think the dissolution of the perimeter will continue, so we should just not even factor that into our future thinking about how to do computer security?

Ranum: No, I absolutely don’t think that’s going to happen. The people that are talking about dissolving the perimeter, I think they’re arguing for something that’s extremely optimistic and very naïve. You know as well as I do that the only way you can really de-perimeterize things is if you’ve got strong endpoint security. Well, how’s that working out for you?

McGraw: So, philosophically, we should we should have strong endpoint security, but it’s not coming along.

Ranum: If we had strong endpoint security and terrific application security, then we could de-perimeterize.

McGraw: The long and short of it is, we can’t really afford to de-perimeterize. And the best of all possible worlds is not coming about any time soon.

Ranum: That’s right. And the thing that really drives me crazy about this issue is that there are people basically say, “Oh, we’re going to de-perimeterize and things will work out.” That ignores a tremendous amount of history. De-perimeterizing just doesn’t work. I’m not saying that we’re going to continue to have firewalls that look like proxy firewalls circa 1989. Nowadays, what we’ve got are firewalls that are doing application-level stuff that’s pretty cool, that are doing all kinds of meta-analysis, and that are pulling stuff out of layer 7 to a degree that most of the early-generation of firewalls didn’t do. This is all goodness because now it means you’ve got the ability to install and implement tighter controls on your data and what’s going on on your network. Again, the problem is that most people actually don’t want to do that. So, they’re irritated by the fact that you’ve got these tools that actually give them the ability to express and define a more effective policy, when really the secret fact is that they never want to express and define a policy at all. They’ve just been looking for an excuse to go, “Waaa.” It’s like this whole de-perimetization thing is somebody who’s going from fad diet to fad diet looking for a way that they can eat all the Ben and Jerry’s they want and still lose weight. It doesn’t work.

McGraw: I like it.

So, you’ve probably given hundreds of talks in your career—maybe thousands. What do you think was your best talk you’ve ever given?

Ranum: It depends on what you mean, best in terms of critical impact or best in terms of intellectual content?

McGraw: You decide.

Ranum: I did a talk a couple of weeks ago in Minneapolis at Security 360 in which I tried to boil down basically all of the rationalizations and all of the ideas that I’ve learned on policy management and detection since I started in this industry. The more I keep thinking about it, you need different types of signatures and algorithms and stuff like this and I realize that ultimately they just boil down to one particular type plus a wide-variety of different implementations. So, I tried to describe that and I think I did OK. There were several people in the room who got it. But, ultimately we’re still in a market where you run into people who are selling signature-less detection systems that are just full of signatures. Not that there’s anything wrong with signatures at all, but…

McGraw: They just don’t know how they actually work.

Ranum: Yeah, but seriously, if you’re part of the marketing department of a start-up, you actually should know how your product works before you go along and say, “I know. We’re going to market this product by lying about what it does.”

McGraw: So, I can take from that answer the perspective that you’re always on the edge of what you’re talking about. And your favorite talk is the one that you gave last because it’s crystalizing your current line of thinking.

Ranum: Correct. I think we should all be moving evolutionary targets. We should always be challenging everything that we that we accept—even our own perceived wisdom. I think when we get to the point where we decide that we’ve actually figured it all out and stop reassessing, we’re making a horrible mistake. My talk about the one detection algorithm is something that evolved out of years of tearful academic debate with my friend Ron Dilly. We’ve basically been going back and forth about this forever. We started with that there were three detection algorithms, then he pointed out that two of them were actually were a superset of one. And then I realized that they were three parts of the same thing.  It’s been fun.

McGraw: So, keeping up with the edge actually can be enhanced when you have to give a talk because then you’re forced to express the ideas that are bubbling around in your brain.

Ranum: Right. Ultimately, any time that you’re trying to express an idea, you have to figure out what is the backfill information that I have to give my audience so that they’re going to be able to understand what I’m saying. This isn’t Catholicism. You can’t simply say, “I’m the Pope. Therefore this is correct.”  You have to say, “Here’s a bunch of pieces of information and they lead you in this particular direction as far as, here’s the thought that I’m trying to guide you into. Which means you’ve got to sit down and you’ve to really think about: what are the most important intellectual touch points that I used to derive my opinion. If you can’t do that, then you have to step back and go, “How did I derive my opinion.” Because what you’re trying to do is get other people to re-derive your opinion on the fly.

McGraw: I also think that when you do that a lot, even if you give the same talk 20 times, though it wouldn’t be exactly the same, you get different perspectives from the audience that sometimes surprise you. They’ll ask something that at first you think is crazy, and then you say, “Oh, I see. They’re looking at it this way.” And that informs your future communication.

Ranum: And then there’s always the slight potential that fortunately hasn’t happened to me very much, but that you’re standing up there and you do a talk about such and such, and someone raises their hand and says, “What about blah?” If I was doing a talk on de-perimeterization and how it was a great idea and we should do it and someone raise their hand in the QA and said, “What about ARP and DSS?” I’d say, “Oh, everybody just ignore everything I’ve been talking about,” or walk off the stage because you have to be able to constantly reassess yourself. One of my favorite stories in science is when Richard Feynman recounted about a physicist who had this particular theory and someone came to present some results that completely destroyed this guy’s theory. And apparently the guy was terrified because here’s this extremely important physicist sitting in the audience listening to him as he tears this guy’s life’s work apart. And when the guy finally grinds to a halt the senior scientist stands up, walks up on stage, shakes his hand and says, “Thank you so much for clearing that up. I’ve been really bothered by this issue my entire career.” That is the kind of intellectual rigor and self-honesty that we need in this industry. Again, that’s why I get so angry when I see somebody say, “We have a signature-less intrusion-detection system. I know there’s only one of two things going on. Either they’re deliberately lying to their customers, which I’m inclined not to think they’re doing. Or they’re actually so clueless about what they’re selling that they actually do believe what they’re saying.

McGraw: Sometimes it’s hard not to become cynical when you’re faced with so-called progress in the field. Do you think making forward progress or not?

Ranum: I don’t think we’re making forward progress at all. No. I think we’re reinventing the same things over and over again at this point. And now, what we’ve really come down to is reinventing the same things and coming up with new names for them, which is like renaming the Titanic when it’s halfway through sinking: “OK, that’s good. It’s now the Royal Line Dreadknot.” It doesn’t change anything if you just start shuffling the deck chairs around like that.

McGraw: Do you remember the article that you wrote on the ‘6 Dumbest Things in Computer  Security’?

Ranum: Absolutely. And I left the really important ones out.

McGraw: How would you adjust that list?

Ranum: I would adjust the list in a couple of ways. One of them would be, instead of simply saying, “Hacking is not cool,” which is kind of taking a socially-oriented attack toward the ultimate problem which is a failure to understand test methodologies that demonstrates itself in the form of penetration testing. Instead of trying to approach that from the social perspective, I would have preferred to have explained why penetration testing is not testing.

McGraw: That’s what I try to get to with the Badness-ometer idea.

Ranum: I like your Badness-ometer idea. But how do we attack this? We have to go after these bad ideas by saying, “You know you’re not actually allowed to use the word ‘test.’” Lord Calvin says, “You’re not allowed to use the word ‘test’ unless you actually understand the unit of measurement that this thing is going to return. And one of the options that it doesn’t return is: Your network is not secure. The other one I didn’t even bother going into because, frankly, I was getting really depressed and I was running out of wine and I just didn’t want to go into it. But the other one I wanted to mention was, transitive trust is always going to be a critical property of computing security and there’s absolutely no way around it. At the time I wrote that, which is quite a long time ago now that I realize, we weren’t seeing any really interesting transitive trust-based hacks against the community. So I simply didn’t want to go into that because I felt like I’d be running around going, “The sky is falling. The sky is falling.” But if I were to rephrase it now, what I would have basically said was, there is this entire other class of problems that we’ve been able to ignore because the hackers simply aren’t that good. And the reason that the hackers aren’t that good is because they don’t have to be. Which is an incredibly depressing way of putting it. But that’s kind of where I would have gone.

McGraw: Well, there are always going to be people who are breaking our systems in new ways once we figure out the old ways or stop the old obvious ways. I agree with you that transitive trust is kind of the next generation of stuff that not many people have yet thought about. Some have. The notion of trust enclave seems to come after secure design, which we’re still flirting with.

Ranum: Right. Figuring out your trust visualization would be a really fascinating thing. There have been times in my career where I’ve thought, “Wow, it’d be kind of cool to build a visualization tool that would allow you to establish some kind of a picture of what your trust relationships are.” So that you could go to this thing and you could say, “Hey, if this particular business partner got penetrated, what would that mean to me?” Then the problem is that that tool, if such a thing existed, would be way far ahead of what anybody actually needs because the answer is: If any of our partners were penetrated to any significant deal, we’re completely penetrated.

McGraw: Well, I think the other problem would be that it would become a fully connected graph very quickly.  You’d end up with what happened when we started doing taint propagation and data analysis long, long ago. And you drip in the red data and, “Oops,” everything turns red just instantaneously.

Ranum: Right. Which basically shows you a tremendous amount about network design, security design, application design, blah, blah, blah. What a minute, aren’t you the guy a couple of seconds ago who was asking me whether we were still going to need perimeters? As long our model of computer security is, if you get one drop of peanut butter in the chocolate that it all goes red, then, yes, we’re still going need perimeters because that means we’re actually still designing to the idea that we still have a perimeter—whether the perimeter is your software, your data, or your network.

McGraw: I think that’s the right way of putting it. We’re still designing as if there were a perimeter or there has to be a perimeter. And maybe we have to.

Ranum: My entire life has been a process of trying to take a whole bunch of things and thoughts that don’t really make a huge amount of sense for me and then turn them into something that does make sense and then I can go, “Aha!” If I can factor these things out and rationalize them, then I can understand the root cause and then I can start to figure that out. So, every time I start thinking about this stuff at a really deep level I come to this realization, which I will now share with you for the first time: Humans just aren’t very good at things.

McGraw: [laughs] I think we knew that.

Ranum: There’s my Ted Talk.

McGraw: That’s going to be a popular one for sure.

Ranum: That is one of the things I think is really funny and it’s totally relevant to what we’re talking about here. You keep seeing these mindsets, which I think are really laudable, where people are saying, “We’re going to do this incredibly optimistic thing.” But it completely flies in the face of human intellectual history, which is generally a massive sequence of failures.

McGraw: So let’s pull this out of Philosophy Land and down to Software Land. You know I harp on the important of software security and building things properly and so on. Do you think we’re making any progress in realizing that we need to build stuff differently than we have been? Or is that just fundamentally tied to this kluge that we’ve been evolving.

Ranum: Honestly, I don’t want to say your whole life’s work been wasted. The folks who’ve been yelling about software security are great and you’ve managed to make some important converts in some crucial places. You’ve managed to get the rudder on the Titanic turned in a good direction.

McGraw: [laughs] I think the rudder aims down on the Titanic .

Ranum: Well, eventually it winds up aiming down, yeah, that’s the problem. You know, I keep going back in my mind to that amazing day in 1995. I was in a data center in Texas at Sterling Software with my friend, Kent Landfield, when Netscape went public. And we saw that stock just go through the roof on that one day. And one of the things I remember thinking was that this is the age of the permanent Beta test. What we just saw is that if you write crap and throw it over the fence, you can make all the dollars and there’s never going to be an economic incentive ever again for writing good software.

McGraw: Right. I think there is a lot of truth to that, although we may be waking up from the long bender for some aspects of the world. If you think about the notion that there are critical pieces of infrastructure that need to be built in a different way and we can’t rely on kludgy engineering for nuclear power plants, for example. Because that create a 30,000 year problem. Then that starts to wake you up.

Ranum: Exactly! But what kind of idiot would use VLANS to separate the in-flight Internet access from the engine control system? Something like that would never happen.

McGraw: [laughs] OK. OK. I give up.

Ranum: I’m not saying, “Give up.” It’s not even one step forward, two steps back. We’re doing this incredibly bizarre staggering around that’s not even as directed as one step forward, two steps back. We’re non-linear.

McGraw: So, let’s talk about marketing, speaking of non-linear. I’ve always been jealous of your incredibly creative marketing prowess. Some of the stuff you’ve come up with is hilarious, like the security calendar and the tickets that you were writing way back in the NFR days. Where do these crazy ideas come from?

Ranum: [laughs] I don’t really know when I started with it, but I’ve always been a huge fan of surrealism and I feel like there’s a little Salvador Dali engine running in my brain at all times. It’s taking everything that I see and it’s trying to figure out, “What can I add to that to come up with something extremely weird?”

McGraw: The crazy angle.

Ranum: Yeah. What’s the crazy angle here? But ultimately, I really want to be careful to choose my words so that I don’t sound like I’m patting myself on the back, but there are people who do so much of a great job of this. And we call the comedians, right? I’ve got to figure that Louis CK brain’s got that little Salvador Dali engine, expect it’s fueled by meth or something. Did I just say he’s a meth-head? No. It’s fueled by rocket fuel or something like that. And those are the people that have become comedians. So, what you’re doing is basically social commentary. And if you look at all the marketing stuff that I’ve done, it’s all social commentary about what’s ultimately dysfunction in the computer security world. So, really all I’m doing is just taking a fraction of the goofy stuff that I see in my day-to-day life and trying to figure out how I can make this palatable and slightly amusing. Call me Pagliacci if you will.

McGraw: And the humor is important to you I think. It’s not just absurdity, but it’s also absurdity that makes you giggle.

Ranum: It is. The whole thing there is part of a realization that I once had around the time that I started NFR and I started all that weird marketing. I remember I was looking at my wardrobe and I was getting ready to put on a t-shirt. This was back when I worked at TIS and my wardrobe was filled with all these ugly t-shirts from all these vendors and the only thing they had on them that was even remotely interesting was a logo. And I felt, “Why do I care about wearing somebody else’s logo?” And then I had the idea that our marketing t-shirt should be a t-shirt that somebody actually wants to wear for its own sake. Hey, what an idea, right? And then you put your marketing stuff below the level where it tucks into the person’s pants. If you remember the security flowchart t-shirts and the Internet police t-shirts and all of those kinds of things from back in the NFR day, the corporate marker was all kind of stealthed. And I knew that I was onto something when I was at USENIX and I saw a guy pulling his t-shirt out of his pants so that he could answer the person who asked, “Where’d you get that cool t-shirt?”

McGraw: [laughs] All right, let’s talk about hackers for a bit. At the top of the show you said that when you were doing the ‘6 Dumbest Things’ work you took the wrong angle on that. So, do you give any quarter to hackers now–to the idea that breaking stuff? Isn’t talking honestly about an attack something essential?

Ranum: Yeah. That’s something absolutely essential. I think that in that situation you have a rather weird cross-over. If you want the reformed hacker or whatever, what you’re basically saying is, “I’m a criminal who has learned how to act like a security consultant.” Oh, OK. That’s fine. But, why don’t you just act like a security consultant all along?

McGraw: [laughs] Some of us are like that, but we get less press.

Ranum: We get less press and we’ve got way shorter criminal records. OK, so Kevin Mitnick, you’re a smart guy. You’ve demonstrated that you can do basic flaw detection if you’re stubborn enough. Why didn’t you start off as a system designer? You wouldn’t have spent so much taxpayer money getting arrested by the Feds and incarcerated. Probably wasn’t great for you either. But, just speaking as a taxpayer, I don’t see benefit to that. So what we really need to do again is look at the situation and ask ourselves, “Is this the correct set of incentives?” I do know some really good pen testers. And the good pen testers—you know this as well as I do. I mean, arguably, you’re kind of in that business, right? The good ones are the guys who say, “Sure, we analyzed your stuff. And we found these problems. But these problems are part of <insert root cause analysis here> and here’s a meta-solution that will allow you to fix all that kind of stuff. That’s very different. That’s acting like a security consultant. That’s very different from what the hacker does. He finds one way in and exploits it.

McGraw: I think that’s right, but I also think that in some sense you have to be able to think like that when you’re designing, even. So I don’t think you can test your way into security either—although, we can’t just abandon the testing idea. But we do need to figure out how to think through terrible scenarios while we’re designing a system so we can avoid them.

Ranum: That’s straight out of Sun Tzu. You need to understand the attack and defense at a metal level and, in fact, once you understand it at a metal level, then the details become indistinct. They’re literally not necessary. That’s a very, very important process. I don’t like advocating military analogies applied to computer security because I don’t think that they map very well. But you’ve never heard of a situation of someone in the Middle Ages who said, “Hey, let’s build a castle and we’ll just put the walls any ol’ which place. And we’ll move them around later when we discover where the flaws are.” You have to think about this stuff as part of your overall strategic design. That’s why the whole Netscape IPO, for me, was such a horrific disaster. Because it meant that the strategic design for software didn’t even have, “it should be good and reliable,” on the table. The strategic design was, “It should be incredibly marketable with a gigantic user-base.” The results speak for themselves.

McGraw: Yep. So, who’s influence your career the most? Stick to humans.

Ranum: Bill Cheswick has been a tremendous influence on the level of thinking about some of the firewalls. Dorothy Denning.  On the intellectual front, from the perspective of professional career building, absolutely, hands-down, one of the greatest people you could ever work for in your career would be Fred Avolio. I worked for Fred when I was at Digital, which was a very formative period of my life. Fred gave me all kinds of wonderful advice in such a down low way that you didn’t really realize he was teaching you, which was amazing. I continued to work for him when I was at TIS. He’s just a great person from a standpoint of bringing people along. You need all these different sources at different levels and each of them throws something different into the pot.

McGraw: The last left-field question. What is your favorite power tool for use in home repair and improvement?

Ranum: Home repair?! Probably a cordless screwdriver. But if I was to actually figure out which one of my power tools I spend the most time on, it’s probably my table saw. A cordless screwdriver is kind of… well, why have I been twisting screws for so long? That’s really nice. And it can strip a screw out in no-time flat. It’s wonderful.

McGraw: I totally agree with you. I have one major power tool here at that beach house and it’s a cordless screwdriver. It’s absolutely essential.

Ranum: I know a guy that does fine art carpentry with a Sawzall. And this kind of relevant to the whole computer security thing. I think what happens is, you have to learn, like with any craft, you have to understand what the strengths and weakness of all of those different tools are. And then as part of your  meta-analysis about,  “What the heck is it I’m actually trying to do?” Then you fit the tools in. If you do it the other way around, which I’m afraid a lot of people do, is they say, “What tools do I have. Oh, well I have a Sawzall, therefore I’m going to secure my network with it.” It all flows from having an understanding of your strategy and working backwards and downwards from there.

McGraw: OK, you ready for the reveal?

Ranum: Mmhmm.

McGraw: Because you were the victim—I mean guest—of Silver Bullet Episode 3, which was exactly nine years ago. 108 months. And I asked you the exact same question. So now we get to go back and compare the answers from nine years ago to now and see how they are the same.

Ranum: What a dirty, brilliant trick!

McGraw: [laughs] It’s going to be fun. But I’m not doing it until I’m back in the office.

Ranum: Well, obviously my brain is melting down right now as I’m trying to remember everything that I might have said back then. All I can say now is that whatever I said nine years ago, I believed it nine years ago.

McGraw: [laughs] I think you’re pretty consistent guy, Marcus, when it comes right down to it. Your philosophy has always been consistent.

Ranum: Well, I do guarantee you, if there’s anything that I’m saying that’s really, fundamentally different, I could explain why.

McGraw: I’m sure. Of course, because of the evolution of ideas. I totally agree. Well, thanks very much. I really appreciate it. It’s been fun.

Ranum: Always a pleasure.

McGraw: This has been a Silver Bullet security podcast with Gary McGraw. Silver Bullet is co-sponsored by Cigital and IEEE Security and Privacy magazine and syndicated by SearchSecurity. The March/April 2015 issue of IEEE S&P magazine is a special issue devoted to the Oakland Conference. The issue features our interview with Whit Diffy

show 111 - Marcus Ranum