Marcus J. Ranum: I think that computer security is a very new field, really -- and it's one we don't appear to understand very well. Unlike engineering sciences where we have learned how to construct solid systems with plenty of overhead and conservative design, we haven't figured out how to cope with the inherent complexity of software. For example, Microsoft used to brag that Windows was 50-plus million lines of code. That makes Windows one of the most complicated things people have ever built. Why do we expect flawless security out of such a system? In the future, security will follow one of three paths: a return to simpler systems (unlikely, but to me the most technically feasible); some kind of means of managing all the complexity (hard to accomplish and will require new things we haven't invented yet); or the situation will remain the same as it is now. Looking at the nearer future, how is the integration between different security systems and products going? Will we continue to have separate components or everything will be integrated?
Everything should be integrated but it probably won't be. Right now the way people think about integrating system is to buy a firewall from over here, an IDS (intrusion detection system) from there, a virtual private network from here, and glue them together to make them work. To do it right, we'd need a completely seamless integration -- right now the only company that even appears to know how to do that kind of thing is Microsoft. But even Microsoft's integration hides lots of ugly little coding stuff behind the nice seamless interface. To do it right someone would need to start a new company to build a firewall/IDS/VPN/host IDS/host integrity checker/antivirus system/encryption system/secure Web server from scratch -- all designed to work together under a common management interface. That is hard, and it would take a lot of money. On top of that, customers already have installed systems they'd be reluctant to just take out and replace. So I don't think that a completely integrated security system will happen unless it's so compelling that customers will be willing to throw away their existing investments in software. I don't see that happening any time soon, do you? Many vendors say "a firewall is not enough." What is the actual role and future developments of this kind of product?
Have you noticed that usually the vendors saying "a firewall is not enough" are selling you something in addition to your firewall? It's a funny coincidence, no? What's sad to me is that firewalls could almost be enough except that the vision of firewall designers ended with "fast packet inspection" and never went further. The only reason we have an intrusion detection product market at all is because the firewall vendors were too busy selling firewalls to think to add intrusion detection abilities to them. And they were too afraid of slowing their products down and losing customers through benchmarks. Firewalls have embraced doing VPNs pretty effectively. Why they aren't doing content scanning, antivirus, intrusion detection, and honeypots is really a mystery to me. How do you think that future developments in operating systems will affect security problems? Do you see a prevalence of Windows or Linux or traditional Unix for security systems?
I don't think operating systems make much difference. Both Windows and UNIX have powerful abilities to enforce security restrictions on applications. But everyone leaves them turned off or application writers don't take advantage of them -- or actually require them to be disabled. So I don't think operating systems will make much difference as long as you get "turn off your antivirus product while installing this program" as the norm. Did 11 September influence security issues and technologies?
Not much, really. There has been a lot of hype but very little actual change. What do you think of the ethical hacker community?
There's no such thing as an "ethical hacker" -- that's like saying "ethical rapist" -- it's a contradiction in terms. The situation is that in the late 1990s a lot of the hackers realised that they could cash in and make big bucks by using their skills for legitimate purposes. There have always been legitimate security practitioners that were as skilled (usually more skilled) than the hackers. But the hackers did a good job of trading off of their underground chic and made a ton of money. It's really just marketing. I can't blame someone for wanting to cash in and I guess it's better to have these guys working honest jobs than out causing trouble. What bugs me are the "ethical hackers" that are working as "security practitioners" and who are still out there writing and distributing hacking tools and actually helping cause the problem they are making money trying to prevent. That's just unethical. Is there a particular project you are working on right now?
These days I am working as a consultant on a number of important and interesting projects, and am also getting interested in security log analysis. I've just updated a Web site on log analysis and have been writing tools for forensic log processing. It's an interesting project because sometimes you're dealing with large amounts of data and need to process them very rapidly. Trying to find a single possible attack in 422 million log records (a real project I was just working on) is a challenge at many levels. It keeps my life from getting boring. Gaetano D'Elia, Information Risk Management Consultant in KPMG, contributed to this report. D'Elia is a senior contributor to ZDNet Italy on security issues.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Let the editors know what you think in the Mailroom.
