Industry leaders debate state of network security tools
- By William Jackson
- Aug 10, 1998
LAS VEGASNetwork security took a beating at the Black Hat Briefings held last
Speakers offered up wildly divergent views. Some called network security adequate, but
others said it is irreparably broken and must be rebuilt from the ground up.
I think were doomed, said Marcus Ranum, president and chief executive
officer of Network Flight Recorder Inc. of Woodbine, Md., a maker of network monitoring
Security is bad and will get worse, Ranum said, because there simply are no
incentives for producing high-quality software.
Nonsense, said Ira Winkler, a former National Security Agency employee and now a
security consultant. Tampering workers and bad security policies pose bigger security
threats than flawed software, he said. Patches and other fixes for most vulnerabilities
are readily available.
Upgrade to the latest version, and youre OK, Winkler said.
The two-day briefings on the nuts and bolts of network security drew managers, security
experts and hackers who get their kicks from punching holes in systems.
Winkler said the prowess of most network intruders is greatly overrated. Most hackers,
even those who achieve well-publicized results, are merely script kiddies who
execute simple programs downloadable from the Internet, he said.
I could teach a monkey how to hack a computer in four hours, and thats
being generous, Winkler said. The problem is: Potential victims dont fix
Conference organizer Jeff Moss agreed. Moss is director of security assessment services
for Secure Computing Corp. of Roseville, Minn., the conferences sponsor.
Moss said there are too many weaknesses, too many patches and too many
productsall of them changing too quickly for most administrators to follow.
You could build a very strong network if you did everything that is
necessary, Moss said. But most administrators have neither the time nor the
expertise to do everything, he said.
Moss, a self-proclaimed security Nazi, agreed with Ranum.
More and more people are rolling out unsecure products, he said.
Ranum blamed the failures on pressure to bring applications to market quickly.
We have a lot of shovelware just being thrown over the wall with no security at
all, he said.
Since computers first began to communicate with one another, each layer of the network
has ignored security, Ranum said.
Security to this day is viewed as an SEPsomebody elses problem,
William Jackson is a Maryland-based freelance writer.