Forget about hackers and just close the window
'This is a great time to be a geek,' according to Marcus J. Ranum, chief executive officer of NFR Security Inc. of Rockville, Md.
For the first time in history, Ranum said, software is cool. In a bar, the guy with all the girls is the programmer, and the guy buying him drinks is an investment banker.
'That's why it makes me mad to see people looking for the negative and trying to break things,' he said.
Ranum last year expressed his anger in a well-publicized speech criticizing hackers who boast about their deeds in the name of security [GCN, Aug. 21, 2000, Page 53
]. His speech made gray-hat hackers notorious and caused him a lot of grief in the security community, among hackers as well as people who rely on them for the first word of vulnerabilities.
Ranum's relationships with hackers have been unpleasant. 'Some slimeball put BackOrifice on my 12-year-old niece's computer,' he said.
He has decided, however, that the direst security breach is not in publicizing vulnerabilities, which software vendors can patch. The worst breach is the lag time before the patch gets widely installed.
'We need to switch to patch streaming,' Ranum said. He envisions all software regularly downloading automatic patches and version updates from vendors. If vulnerabilities could get fixed almost as soon as they were evident, 'the whole economy of hacking breaks down,' he said.
It wouldn't be difficult to do, technically speaking. Antivirus and other programs already update themselves. But practically speaking, it's a tough sell. Administrators are understandably leery of anything that changes their systems without their knowledge or permission. Many administrators feel more comfortable staying a version or two behind the latest, and many would object to being used as involuntary beta testers for new versions.
So Ranum, who makes his living selling intrusion detection systems, has an even more radical solution to the shortfall in network security.
The market for firewalls alone is an estimated $600 million a year, he said. That money should be spent instead on developing one secure operating system and encouraging developers to write applications for it. Voila'security without firewalls or intrusion detection.
Ranum has been pushing this idea for years, but and it hasn't caught on yet.