Forget about hackers and just close the window

William Jackson

'This is a great time to be a geek,' according to Marcus J. Ranum, chief executive officer of NFR Security Inc. of Rockville, Md.

For the first time in history, Ranum said, software is cool. In a bar, the guy with all the girls is the programmer, and the guy buying him drinks is an investment banker.

'That's why it makes me mad to see people looking for the negative and trying to break things,' he said.

Ranum last year expressed his anger in a speech criticizing hackers who boast about their deeds in the name of security. His speech made gray-hat hackers notorious and caused him a lot of grief in the security community, among hackers as well as people who rely on them for the first word of vulnerabilities.

Ranum's relationships with hackers have been unpleasant. 'Some slimeball put BackOrifice on my 12-year-old niece's computer,' he said.

He has decided, however, that the direst security breach is not in publicizing vulnerabilities, which software vendors can patch. The worst breach is the lag time before the patch gets widely installed.

'We need to switch to patch streaming,' Ranum said. He envisions all software regularly downloading automatic patches and version updates from vendors. If vulnerabilities could get fixed almost as soon as they were evident, 'the whole economy of hacking breaks down,' he said.

It wouldn't be difficult to do, technically speaking. Antivirus and other programs already update themselves. But practically speaking, it's a tough sell. Administrators are understandably leery of anything that changes their systems without their knowledge or permission. Many administrators feel more comfortable staying a version or two behind the latest, and many would object to being used as involuntary beta testers for new versions.

So Ranum, who makes his living selling intrusion detection systems, has an even more radical solution to the shortfall in network security.

The market for firewalls alone is an estimated $600 million a year, he said. That money should be spent instead on developing one secure operating system and encouraging developers to write applications for it. Voila'security without firewalls or intrusion detection.
Ranum has been pushing this idea for years, but it hasn't caught on yet.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.