Industry leaders debate state of network security tools

LAS VEGAS—Network security took a beating at the Black Hat Briefings held last

Speakers offered up wildly divergent views. Some called network security adequate, but
others said it is irreparably broken and must be rebuilt from the ground up.

“I think we’re doomed,” said Marcus Ranum, president and chief executive
officer of Network Flight Recorder Inc. of Woodbine, Md., a maker of network monitoring

Security is bad and will get worse, Ranum said, because “there simply are no
incentives for producing high-quality software.”

Nonsense, said Ira Winkler, a former National Security Agency employee and now a
security consultant. Tampering workers and bad security policies pose bigger security
threats than flawed software, he said. Patches and other fixes for most vulnerabilities
are readily available.

“Upgrade to the latest version, and you’re OK,” Winkler said.

The two-day briefings on the nuts and bolts of network security drew managers, security
experts and hackers who get their kicks from punching holes in systems.

Winkler said the prowess of most network intruders is greatly overrated. Most hackers,
even those who achieve well-publicized results, are merely “script kiddies” who
execute simple programs downloadable from the Internet, he said.

“I could teach a monkey how to hack a computer in four hours, and that’s
being generous,” Winkler said. “The problem is: Potential victims don’t fix
the problems.”

Conference organizer Jeff Moss agreed. Moss is director of security assessment services
for Secure Computing Corp. of Roseville, Minn., the conference’s sponsor.

Moss said there are too many weaknesses, too many patches and too many
products—all of them changing too quickly for most administrators to follow.

“You could build a very strong network if you did everything that is
necessary,” Moss said. But most administrators have neither the time nor the
expertise to do everything, he said.

Moss, a self-proclaimed security Nazi, agreed with Ranum.

“More and more people are rolling out unsecure products,” he said.

Ranum blamed the failures on pressure to bring applications to market quickly.

“We have a lot of shovelware just being thrown over the wall with no security at
all,” he said.

Since computers first began to communicate with one another, each layer of the network
has ignored security, Ranum said.

“Security to this day is viewed as an SEP”—somebody else’s problem,
he said.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected