Slashdot Mirror
Inventor of Proxy Firewall Blames Hackers
An anonymous reader writes "SecurityFocus published an interview with Marcus Ranum, the inventor of the proxy firewall. It's an interesting reading, and the end is even better:
Truly, the only people who deserve a complete helping of blame are the
hackers. Let's not forget that they're the ones doing this to us. They're the
ones who are annoying an entire planet. They're the ones who are costing us
billions of dollars a year to secure our systems against them. They're the
ones who place their desire for fun ahead of everyone on earth's desire for
peace and the right to privacy."
Truly, the only people who deserve a complete helping of blame are the
hackers. Let's not forget that they're the ones doing this to
us. They're the ones who are annoying an entire planet. They're the
ones who are costing us billions of dollars a year to secure our
systems against them. They're the ones who place their desire for fun
ahead of everyone on earth's desire for peace and the right to
privacy."
Ok, but swap a hacker's desire for fun with a software companies
desire to make money without properly taking responsiblity for
securing their product and one could also write:
Truly, the only people who deserve a complete helping of blame are the
software companies. Let's not forget that they're the ones
doing this to us. They're the ones who are annoying an entire
planet. They're the ones who are costing us billions of dollars a year
to secure our systems against them. They're the ones who place their
desire for profit ahead of everyone on earth's desire for peace
and the right to privacy."
It is like a credit card company saying that if someone breaks into
their systems and steals my credit card number, that is my
responsibility - or maybe it is the hackers fault. Well sure, it is
my fault for using a stupid bank, and the hackers fault for committing
the crime - BUT SURELY the bank has to take some fault for making this
whole possible - right?
"They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them."
Hmmm.
He is also 100% wrong. No one wants to live in a world where we have to lock our doors. Everyone wants to live freely without worry of being taken advantage of. It is absolutely the fault of the "evildoers" that we must put locks on our windows and worry about the footsteps following us down the dark, reeking alleyway.
But it is also our own responsibility to be sure that we can prevent people from taking advantage of us. This means that we must have those locks and firewalls. To neglect this is to essentially invite attack and intrusion. And if it isn't at the hands of one group, it will be at the hands of another.
We don't live in a perfect world, so it's important that we have adequate locks.
Rome builds shitty wall, Emperor blames failure on existence of barbarian hordes.
It'd sound fucking ludicrous to read that in a history book, it's no less ludicrous to read that in a modern context.
Dude, grow a pair.
I can not say I agree with the "hackers" (or rather, blackhats), but this is just ignorant.
Let's say there weren't a lot of crackers. Nobody would even bother about the slightest bit of security. Then one guy would learn enough, and since the lack of security he would be able to root the entire planet. One real blackhat, and we'd all be doomed.
We should thank the hackers.
And if software companies would pay a little more attention to security, the internet would be way more secure. So it's THEM to blame.
"Locks only keep honest people honest." Such is the same with all security measures. Anything that is created by man can be defeated by man.
Cliff Claven
K.E.G. Party Chairman
Founding Leader of: Koncerned for Egalitarin Governance
Virus writers, crackers and their ilk are the predators and pathogens of the Internet ecosystem. They kill off the weak and make the rest stronger.
What would you prefer? An Internet full of weak hosts, with a wealth of unexploited security holes and weakly configured security systems, where your security is left up to the good will of others (everybody just play nice now)? Or one where leary vendors and service providers stand in constant vigilance over security issues, because they have to. The wolves are circling the herd.
What would happen if all the 'hackers' just went away? Everyone would get complacent. Security holes would proliferate, until the temptation just became too large and someone takes it all down in one fell swoop.
I don't know where to begin on this one.
If there weren't any burglars around, I wouldn't have to lock the doors of my house.
If everyone would abide traffic rules, the need for airbags etc. would vanish.
This guy is not only complete missing any connection with the outside world, he also forgets that there are thousands of people working in the (IT) security industry, making a living. It may sound silly, but we keep our economy going this way. This is why there are so many economists/therapists/lawyers/communication advisors/etc. around.
I feel like feeding the troll here. Time to knock it off...
According to Society:
criminal hacker == hacker therefore
criminal hacker == hacker
IPv6 should be the future. Do you see a more secure future then?
No, IPv6 isn't going to solve anything.
I liked this line the best. I'm tired of the people who prattle on about how NAT has broken the internet and how IPv6 will negate the need for NAT and solve all our security problems. That line is a bunch of crap and now we have someone of authority acknowledging that. As for the "out of addresses" excuse, don't even get me started.
As nice as it is to think that the world would be in perfect harmony without hackers, it is little more than a pipe dream. Throughout history, humanity has been plagued by the selfish nature of its constituents ('human nature' just does not jive with the 'common good'), and that is a fact I would argue is on par with Death and Taxes. We as a society have to be realistic here, and we as the geek community, the developers of software, have to take the responsibility to make high quality, secure software, because you just can't trust the public. Wasting our efforts by complaining about hackers is foolhardy.
I'd rather be cycling.
One of the reasons Ranum is such a bitter guy is that he never made any money out of his products. He was always working for someone else and never got a piece of the action. When he finally had his own company (NRF) the product we ill defined, then attempted to redefine itself as an IDS, but was never able to keep up with the performance of modern networks.
I agree with you. Sadly though (in this particular instance), languages change, and word usages evolve. (Anyone remember when you could actually use the word "gay" to mean "happy"?) The hoi polloi have taken the word away from the Hacker (in the traditional sense) community, and made it into something else. We just have to move on, I guess. Given that you're already no longer allowed to correct people's spelling, grammar, syntax, be it on the Internet or even at work, might as well let semantics go down the drain with the rest of it all... /vocabulary nazi off
If I'm reading that right, you have it backwards - like a lot of people, I think. If, let's say, someone left their front door open and you saw some nice lookin shiny thing while walking down the street, and you went in and took it, then got caught...what would the police say? "Oh, it's not your fault. After all, they left their door open."
No, while they were idiots for leaving the door open, you were the only one who broke the law.
The same thing applies here. Because someone or something leaves doors open doesn't mean you can or should enter them. No one has to live with spam merchants - that's why we're taking measures to combat spam on many levels (from the national do not call registry to spam filters on the email system at the office). No one has to live with hackers, either. That's life, but not how you put it; this time, I applied your logic to both sides.
Can you live with that?
ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
Actually I'd say the Hackers probably did us a favor in the long run. How bad would it be if everything were nice and rosy and then organized crime started playing hard ball?
At least we've had time to learn and understand and actually build tools to help in the defense of our systems. Now if companies ignored the petty hacker attacks that's their own fault, but at least it started with relatively innocuous stuff rather than more heavy duty attacks...
People in cars cause accidents....accidents in cars cause people
Well, I guess they did prepare us for more serious infrastructure threats, e.g. information warfare, organized crime etc.
I'd rather have an army of citizen-lamers spend decades breaking into our computers for fun, prompting us to build up an immune system.
Xcott
I see every day the results of poor practices, shoddy software, and just plain old stupidity when it comes to security. Fix those first, then worry about the hackers.
LOAD "SIG"
RUN "SIG"
Obviously this guy has never heard of espionage. *Most* (not all) hackers/crackers get in, poke around, and leave. I've known a few that actually fix shit on the way out, and leave friendly notes (though I think more highly of the do no harm crowd).
The *REAL* danger are corporate spies who not only want your secrets, but also plant spyware, or destroy infrastructure to hamper a competitor. There is also the growing instances of state-sponsored computer cracking whereby poorer nations (particularly the axis-of-evil states) seek to leverage the power of attacking information infrastructures instead of the physical infrastructure. Remember, the US didn't take down the Soviet Union by dropping bombs and shooting bullets. We bankrupted their ass in a nice game of 'keeping up with the neighbors'.
The idiot who comes in with a lit cigarette is doing nothing wrong and, supposedly, didn't intend anything evil. You're a moron for spreading kerosene all over the house. The cigarette dude isn't to blame. This is just an unfortunate incident caused by owner neglect and stupidity.
Not so with the hacker. The hacker might know the owner neglected to have decent security on his system but he's still entering the system with malice in mind.
You can call a home-owner ignorant for not locking the doors of the house but the thief who waltzes in the front door and steals the TV is still a prick and is the one who should be punished.
What I really find interesting about this Thievs/Hackers analogy is that you never hear people telling the victims of Theives that they should have had three deadbolts on the door, or saying "shame on you you don't have bars on your windows, of course you'll get broken into."
It never ceases to amaze me how much blame is laid at the feet of the users. I know running an email attachment executable is really stupid, but alot of other exploits are the equivalent of using a crowbar to break your windows. Thieves get serious jailtime and the police work to find them and they are considered the only ones to blame. In the PC realm, hackers go largely uncaught and unpersued by the athorities, and the user gets told its their fault.
He's correct in his assessment of blame. The people who hack systems, break stuff, spread viruses and bot networks etc are 100% responsible for their actions. They are violating laws left and right with no regard for others.
Yes, insecure code, a lack of a firewall or antivirus software opens you up to potential attacks, or not having the latest security patches. However that doesn't excuse an actual attack.
By the reasoning of most of the posters here, unless your home is as secure as fort knox, anyone who breaks in and steals stuff isn't really to blame... I mean, come on, you could have protected your house better. Put in pressure plates and motion sensors. Try a laser grid on the floor. Armed guards, time sealed doors, attack dogs etc. Anything less and, geeze, you're practically inviting them in to take your stuff!
That's what the Internet is like. You really have to lock up your system like Fort Knox to keep yourself safe. Even then, the burglar could find a spot in the security system that isn't fully covered and get in that way.
The ONLY secure machine is one that is sitting in the corner, surrounded by a lead box, not connected to any network or power supply. A useless machine really.
Those who attempt to maliciously exploit vulnerabilities deserve every once of blame you can possibly assign to them. I personally want to kick the guy in the balls that did the Blaster worm... took weeks to get my old workplace cleared of that thing. Just because it is POSSIBLE to exploit something does not mean you SHOULD exploit it. Too many people online use the reasoning that if it's possible it should be allowed.
I agree entirely. In particular, I think there's a lot of people who think something is okay, unless it's specifically made hard.
People NEED to take more responsibility for their actions. If I left my systems with the default passwords, didn't patch them, and had no firewall, it still would not by fault if someone broke in. It would be irresponsible of me, but that's is a different matter.
There needs to be more of a realisation that responsibility lies with the person who CHOOSES to break the law.
pi = 2*|arg(God)|
The "bad guys" (don't want to call them hackers because of the debate about that term) are not going to just go away because we give them mean looks and call them poopheads.
...), we will have to do that on the Internet.
There are three types of motivation:
1. The excitement and fulfillment that comes from understanding a system and finding the holes in it, and often leaving your mark so others know you were there.
2. Political and ideological motivations -- a desire to educate people, and punish the "enemy".
3. Economic motivations. This includes both advertising, and theft/scams.
The trends started at (1) and are increasingly moving towards (2) and (3). Ironically, the technology generated by (1) is being used by those whose motives are very different than the type (1)s.
The only way to fix this is to reduce the openness and anonymity of the Internet.
I repeat:
The only way to fix this is to reduce the openness and anonymity of the Internet.
Just as we had to find a balance between privacy and security/integrity in every other aspect of society (e.g. telephones, credit cards,
"The major disruptions now are not caused by simple thrill-seekers."
Please name one serious, high-profile hacking case (to include authoring viriii & worms) in which the perpetrator was caught and didn't turn out to be a teenager or a still adolescent 20 something.
Inside jobs don't count.
I'm sure there must be a few but I honestly can't think of any.
Not to say that there aren't real bad guys out there... they just don't seem to get caught despite all the money thrown at computer and network security.
Speaking as a sys admin for almost 20 years, most hacking has been a source of annoyance (and sometimes amusement) rather than serious damage. The oft quoted "billions & billions of damage due to hackers' is a load of crap as far as I can tell. Kind of ike the y2k bug was.
They don't frighten me. The internet was never designed for privacy to begin with. If that's your aim then paying to "hack in" extra security is the price you pay.
And you know what...? sometimes the cure is even worse than the disease.
I read somewhere recently (sorry, can't remember where) where someone (a security "expert"?) criticized a nuculear power plant's network security by saying something along the lines of "they're so backward they aren't even connected to the internet". Sounds like good security to me.
Security isn't about stopping somebody who wants to be malicious to a system and have fun with that.
.. but don't say we wouldn't want it otherwise. Firewalls are a good thing...
Its about protecting information that you otherwise don't want unauthorized people to have access to. its about espionage, its about privacy. Its about making sure you know if somebody is just looking on your system. Honestly a server can be replaced if it gets fried by some hacker trying to hurt it, and there are backups. But you'd never know if somebody went in and just invaded your privacy and looked at all your things and then left it completely clean right?, not without something like a firewall or some sort of logs and security system set up.
So yeah go blame hackers for making us think of the idea
Who makes you Sig?
Why in the world would he be bitter-- hackers and criminals keep him employed and have made him somewhat of a known figure. I understand his frustration at the lack of real morality in some people, but the bitterness is a bit over the top.
Let's look at it another way-- do you really think Batman would be happy if Gotham (or the world) were rid of crime? What would he do?
Or yet another point of view-- hackers are actually helping the economy. They have created a new market in security which creates jobs, revenue and all the other economic benefits. As Gordon Gecko might say "Hacking is good!"
To expand this a bit-- without crime there would be no need for a police force. Without war there would be no need for a military. What would we do with all that excess production capacity?
*tounge firmly planted in cheek*
They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy
How can someone be clueful and clueless all at once... Desire for fun....that did not steal 40 million credit card numbers. Everyone on Earths desire for peace and right to privacy? Tell that to the Chinese who are told what ports they can or can not secure to allow for "public monitoring" This guy is lost.
Yeah, but there's black hat and white hat. There are people who would hack into a system and leave a note saying "I was here, this is how I got in...fix this!" Then there were the ones who would hack in, delete everything or otherwise fuck it up, and then erase all signs that they were ever there. There are virus writers who write proof of concept worms and viruses to alert people to flaws in their systems, and then there are the script kiddies who have nothing better to do with their time but tweak existing viruses to beat the anti-virus signatures.
I have no use for destructive hackers. It's much easier to find a hole in a system then it is to anticipate all possible angles of attack. If some ass-hat script kiddy wants to show what a clever boy he is, he should do something useful and become a security consultant. On the other hand, that would take brains and work...
Computer criminals and black-hat-hackers are as much a fact of life as rain showers in Seattle, earthquakes in California, flus in winter, and accidents on highways.
...) is very much to blame. In fact, it should be possible to hold liable for negligence.
Security isn't an accidental byproduct of software, it is one of its primary functions; if software doesn't provide security, then it is defective. That's just like if you buy a padlock, you have an expectation that it actually works as a lock. The padlock manufacturer can't say "oh, well, our padlock doesn't work, but that's really the criminal's fault".
Any vendor that puts out software that contains easily avoidable security holes (like buffer overflows, backdoors,
What if you would pay someone to lock your door and he forgot?
Analogies don't equal equalities, they are merely somewhat analogous.
The problem, as I see it, is that since "software" is such a new concept (compared to houses, locks, etc) that people and society haven't settled on REASONABLE steps to secure things vs. UNREASONABLE steps.
For example, if I wanted to, I could easily break into the average person's home. It just isn't that hard. Does that mean they "failed" to secure it? I would think not.
There is no such thing as "perfect" security. It will always be an arms race between malicious people (or misguided non-malicious hackers) and the people trying to protect their systems.
Technically his statement is correct, however prima facia, its a foolish one. As its been said elsewhere in the comments it implies that if it were not for 'hackers' systems would be 'safe'. However as is the case with companies looking to cut every conceivable cent, there would be no security otherwise. "Why bother locking the doors there are no criminals to steal my possessions!"
This sounds merely like an argument for altruism and security thru obscurity (which of course doesn't work). Why would a company try to harden against problems, even if caused my a mistake, if there is never any pressure to think there would be a need?
Would a civilization wonder if there is anyone else out in space if they can see no stars? Problem is without external pressure, people get sloppy. Of course people are sloppy to begin with. Imagine the extent of the credit card problems we have seen in the past months if there was no security at all? Its a poor argument really.
The grandparent and parent both touch on something important. The vandal/repairman example comes straight from Hazlitt and is indeed an old fallacy. People see the new improved and rock-resistent glass and they say 'now that's progress'. What they don't see is the resources the shopkeeper had wanted to purchase with the money that had to go to the new window. The shopkeeper could have spent that money to become more efficient or expand. Or as in Hazlitt's example, bought a new suit. Then the tailor would have had more resources to put into play.
The window repairman, much like the parent poster, probably thinks rock-resistant windows and proxy firewalls are an excellent investment. When we look at the long list of technologies that changed the 20th century, many/most were developed at least in part to help wage and defend warfare. One might deduce that warfare is a creator of value. Yet war is always a destroyer of value. It is the allocation of resources that could be more suitably employed.
Let's set the record straight: "Hackers" refer to those of us who do wonderful things with the hardware and software. "Crackers" are those who seek unwarranted entry into other people's systems, usually for malicious intent.
I am a born bonafide *hacker*, and have been so for the past 27 years. I, on the other hand, am NOT a *cracker*, and I would like to see them on the business-end of a (insert your favorite weapon here). Recovering from the damage crackers have caused me and others is no fun, eats valuable time, and forces me to focus on things that are not productive, but necessary to keep them out.
Ruby Neural Evolution of Augmenting Topologies
I mean sure...the crackers DO cause all the problems, but you have to develop a system that allows for the existance of the inevitable. Yeah, communism is a great idea, but unless it can be modified to account for the fact that there will be people trying to leech off the system, it won't go very far. Similarly with computers: it's a bit foolish to complain that we wouldn't have to have information security if we didn't have all those darn criminals cracking our computers. There will always be people who want to leech because they're selfish, and there will always be criminal crackers. Part of running a society, or a computer system, is making it resilient to those that don't follow the rules.
The criminal, on the other hand, is still a criminal in this scenario because he violated the owner's house/car/computer, and no plea of "trying to protect by demonstration of vulnerability" is possible. In other words, breaking and entering is never a "favor" rendered.
When you buy a product, you expect the same due diligence in quality, truth in advertising, and utility of the product. If the producer deliberately produces an inferior product, lies about it, or if it does not live up to its utility, that producer may be subject to at the least, ridicule, and at the most, financial or criminal liability. On the other hand, someone who deliberately breaks a product has a reduced, and probably no, claim against that producer.
A hacker who draws attention to a weakness in a product may actually be a hero; however, one who deliberately breaks things or breaks into places without permission is nothing more than a criminal.
It depends on where you live. In some cities/countries/parts of the world, you are expected to have three deadbolts on the door, or some other security features. Otherwise you end up paying very high insurance fees.
There is one thing that you forgot to mention in your analogy: collateral damage. If a thief breaks into your house and steals stuff, then you may have lost something but your neighbors should still be relatively safe. But with the Internet, if some cracker breaks into your PC and adds it to his botnet, your PC will soon be inflicting significant damage on your neighbors. Although the cracker is the one to blame for starting it, the lack of security on your PC will have contributed to the collateral damage.
Let's take another analogy and replace thieves with fire: let's imagine that because it is cheaper or easier, you decide to build your house using highly flamable materials. You live in a densely populated area and several of your neighbors decide to build their houses from highgly flamable materials for the same reasons (or some company starts selling prefab houses made of flamable materials and even gets a near-monopoly on that). Now comes a pyromaniac who sets your house on fire. Bad luck, in a few hours the whole city is destroyed or damaged. Now do you really think that the only one who will be blamed is the one who started the fire? I expect that some people will also complain about the damage caused indirectly by their neighbors.
You could think about other analogies in the same vein, for example if houses could be built easily without solid foundations and if they could start falling down on each other like dominoes. I expect that some people would not be happy to have their neighbor's house falling on their own house, regardless of who pushed the first domino.
-Raphaël
As has been said by many much wiser than myself, all computer problems are fundamentally a people problem. Exploitable applications are the fault of developers, exploited applications are the fault of intruders.
Why is the blame always pushed in one direction OR the other and not both?
The biggest thing that needs to be done is to turn-off that which isn't used; allow what's needed, deny all do it in services, do it in the firewall rules at the host and routers.
We need to get it through people's heads that everything that's running is a security risk, and if the benefits don't outweigh the risks don't use it, or install it and block it's ports.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Yeah, but there's black hat and white hat. There are people who would hack into a system and leave a note saying "I was here, this is how I got in...fix this!"
If you walk onto my property, shimmy up the drainpipe, sneak onto my balcony, pick the locks, and track mud into my house, then leave a note saying: "I just broke into your insecure house! Aren't I amazing? Next time, put a better lock on the third story balcony window!", I'm still going to call the police and have you arrested for tresspassing. They'll probably charge you with breaking and entering, too.
I don't care if you call yourself a "white hat" catburgler (sneaking into other people's houses to educate them) or a "black hat" catburgler(sneaking into people's houses to steal from them). You're still a criminal, and you're still going to jail.
If you damage anything while you're in there, I'm going to sue theft and or vandalism as well. So yes, the law punishes "black hat" catburgler more harshly; but only because he's more guilty. That doesn't exonerate the so-called "white hat" catburgler from tresspass charges.
Hacking is no more justifyable than housebreaking. If you can't learn to leave other people's property alone, you belong in jail.
Just because it takes "brains and work" to figure out how to sneak into my house does not making your brilliant crime any less of a crime; and the same thing applies if you break into my computer.
--
AC
It is NOT "hackers" causing all those problems with the internets that Dumbfuck McCumstain so laments. (Yes, I AM being really insulting and offensive to Marcus Ranum! He's been really insulting and offensive towards me and my fellow hackers.)
It is thieves and vandals causing all those problems.
Hackers invented the micro/home/personal computer. Hackers invented the diverse protocols that allowed these machines to talk to one another. Hackers invented the operating systems. Hackers invented the Internet. A hacker invented the World Wide Web.
Thieves and vandals merely took advantage of what hackers have invented and shared with the world. Took advantage and turned these tools to an evil purpose. Not hackers, THIEVES & VANDALS!
The language changed some time around the early to mid eighties, when Hackers became synonymous with Crackers.
If you can't handle a 20 year old change to the English language, you shouldn't be allowed near computers. Unless you're only planning on programming in Cobol.
Get over it.
Coming soon - pyrogyra
They're the ones who are responsible for companies needing to buy the software that the company who employs me produces... thus giving me a job.
To the hackers:
Though you annoy me... my lifestyle thanks you.
No, it's more like someone opening your door and watching you have sex with your wife. Just because you left your door unlocked and allowed them easy access to your house does not mean that they are doing nothing wrong by opening up the door and peeking inside. While I agree it is stupid for someone to leave their computer unsecured, security holes do exist and it is does not absolve a hacker of any wrongdoing just because it was easy to get in.