Interview with Marcus Ranum

SA Security Bloggers

SensePost

Haroon Meer
link

Matt Erasmus
link

Andrew Mohawk

Junaid Loonat
link

Barry Irwin
link

Tom Wells

Allen Baranov
link

Jock Forrester
link

IT Security Pubcast
link

Telspace

ISGAfrica

Ralfe Poisson

How-To's
link Linux SSH Jail with pam_chroot
link Firefox Privacy & Security Extensions

Papers
link Managing Patching, my MSc Thesis
link Risk Analysis of Monthly Patch Schedules

Tools
link Automated Vodacom SMS (VodaSMS)
link RSS 2 SMS
link DShield Hack Detection

Neologisms
link Encryption principles
link Zoolander's Law

Syndicate This Blog

SSL

Certificate fingerprints:

SHA1: 61 13 45 4B 4C F9 89 9B B7 87 C8 78 F7 38 12 CB 07 E2 60 BF
MD5 : DA 53 7B 50 E4 3A 2C 6C A1 17 53 C1 A0 5E CB 89

HTTPS version.
You can find an explanation here.

License

Original content in this work is licensed under a Creative Commons License

Disclaimer

This blog and its contents are in no way affiliated with, or endorsed by my employer.

Random Entry: On the Middle East and Lebanon
< Reverse Engineering Microsoft Patches | Off to ISSA 2005 >

Sunday, June 26. 2005

Interview with Marcus Ranum

SecurityFocus has an interview up with Marcus J. Ranum. Attention seems to come in pairs. I really enjoyed what he has to say, on standards, the security industry, and how to make it better. I found his point on approaching security with whitelists rather than blacklists (e.g. antivirus is a blacklist, while this is a whitelist) quite interesting.

Here are a few choice quotations:

Most of the application protocols in use are still insecure and unencrypted. So, you set up little VPNs between each host, and you tunnel some applications over SSH or SSL. But that still doesn't work because you've now got a problem of transitive trust. If host A talks to host B and host B talks to host C, then a vulnerability in host B leaves host A open to attack from host C. Transitive trust is the "secret killer" of computer security but most of the time we never bump up against it in practice because it's easier for hackers to get in via simpler methods.

Whenever someone tells you that there's a novel, easy, solution to security, it's either because they don't understand security or they're trying to sell you something that isn't going to work.

In order to build really secure systems you need to understand the trust relationships between your systems and then build your systems to enhance and support your mission based on those trust relationships. But that's hard work that very few people have the courage and patience to undertake.

The computer security industry is trapped in this backwards mindset in which its practitioners keep trying to "list and deny all the things that are bad" rather than "list and permit all the things that are necessary and good"

Posted by Dominic White in Security at 21:46 | Comments (0) | Trackback (1)

Last modified on 2005-06-26 21:58

Trackbacks

Trackback specific URI for this entry

MS05-039 and the Zotob summary
Quite a lot has happened in the last few days, some of it is significant and some of it is just media hype. The Chief asked us to rant out it. In this summary I will try and cut through the hype and see if there are any important lessons or theories tha

Weblog: .tHE pRODUCT
Tracked: Aug 18, 03:44

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
Homepage
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry