Slashdot Mirror

← Back to Stories (view on slashdot.org)

Inventor of Proxy Firewall Blames Hackers

Posted by CmdrTaco on from the get-your-rage-out dept.

An anonymous reader writes "SecurityFocus published an interview with Marcus Ranum, the inventor of the proxy firewall. It's an interesting reading, and the end is even better: Truly, the only people who deserve a complete helping of blame are the hackers. Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy."

28 of 742 comments (clear)

  1. Someone should patent blame deflection by _am99_ · · Score: 5, Insightful

    Truly, the only people who deserve a complete helping of blame are the
    hackers. Let's not forget that they're the ones doing this to
    us. They're the ones who are annoying an entire planet. They're the
    ones who are costing us billions of dollars a year to secure our
    systems against them. They're the ones who place their desire for fun
    ahead of everyone on earth's desire for peace and the right to
    privacy."

    Ok, but swap a hacker's desire for fun with a software companies
    desire to make money without properly taking responsiblity for
    securing their product and one could also write:

    Truly, the only people who deserve a complete helping of blame are the
    software companies. Let's not forget that they're the ones
    doing this to us. They're the ones who are annoying an entire
    planet. They're the ones who are costing us billions of dollars a year
    to secure our systems against them. They're the ones who place their
    desire for profit ahead of everyone on earth's desire for peace
    and the right to privacy."

    It is like a credit card company saying that if someone breaks into
    their systems and steals my credit card number, that is my
    responsibility - or maybe it is the hackers fault. Well sure, it is
    my fault for using a stupid bank, and the hackers fault for committing
    the crime - BUT SURELY the bank has to take some fault for making this
    whole possible - right?

    1. Re:Someone should patent blame deflection by erroneus · · Score: 5, Insightful

      At first I was going to mod this +interesting or something like that but I think I'd rather just add to it.

      We're born into this imperfect world and should expect nothing less than we've already been born into. The lock was invented before anyone presently reading this was born. This is a clear indication of the state of things and in my opinion, the nature of humans... or animals for that matter. (Raccoons, monkeys and other creatures are famous for stealing things too!)

      The individuals responsible are individually responsible for their own actions and should be held accountable. But the reality that should be mentioned and understood is that we're in a world where people do shit to each other.

      In that climate, we look to software makers to make reliable products. We want them to be able to withstand the efforts of the rest of the world doing what it is that's natural for them to do. It is not an impossible task. It has been shown through the virtue of patches that it can be done and since it can be patched it could also have been done right the first time had they only taken the time and effort to write it correctly to begin with.

    2. Re:Someone should patent blame deflection by jedidiah · · Score: 4, Insightful

      No, it's the builders fault if the construction of the door was faulty to begin with. If a burglar can walk up to your front door, pound on the hinge side slightly and cause the entire door to fall in THEN THE BUILDER IS INFACT RESPONSIBLE.

      Cities have legions of building inspectors for just this purpose who's job it is to actually ensure that the tradesmen actually built their part of the house up to the standards set in the local building codes.

      They actually have standards in the construction industry.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    3. Re:Someone should patent blame deflection by Skye16 · · Score: 4, Insightful

      If I push open your front door because the builder didn't even bother to put a door knob on it, much less a lock, then is the fault mine? Absolutely. Does the builder have responsibility in this too? Absolutely again.

      In a way, hackers are kind of pointing out that the emperor has no clothes.

      With that said, I, personally, find nothing wrong with a hacker trying to figure out an application / OS's vulnerabilities and sharing them with the developers. And if they do nothing about it, share it with the rest of the world to force them to. People deserve doors to have doorknobs and doors that have locks. People also deserve software that doesn't leave their anal cavity wide open for nefarious probing.

      However, the hackers who run amok trying to fuck things up as much as possible for the sake of fucking it up (more script kiddies than hackers, but to the average person, they're the same); they still need to be blamed. They're still the primary culprits. But software companies can be extremely negligent at times, and thus, they bear some responsibility too. Responsibility isn't finite; just because we have two parties doesn't mean the major culprit receives any less of the blame.

      And I'm rambling, again. I'm sorry.

    4. Re:Someone should patent blame deflection by FictionPimp · · Score: 4, Interesting

      Yea, but my house was built without doors, just big gaping holes. So how dare you come in and steal my stuff. I can't belive people would be so dishonest.

      At least a door is an effort at security. Most software makers make no effort. I can prove this by the large list of programs that require me to make hours of phone calls to find all the stupid places they put stuff so my users do not have to run in admin mode in windows.

    5. Re:Someone should patent blame deflection by tyler_larson · · Score: 4, Insightful
      Ok, but swap a hacker's desire for fun with a software companies desire to make money without properly taking responsiblity for securing their product and one could also write:

      Perhaps you should RTFA--no, really. The article was very reasonable and well-written. The synopsis was not. Here's the context from which the quote you refer to came--

      If we consider the Internet as a big local network, we will see that some of our neighbours keep getting exploited by spyware, virus, and so on. Who should we blame? OS producers? Or our neighbours that chose that particular software and then run it without an appropriate secure setup?

      There's enough blame for everyone.

      Blame the users who don't secure their systems and applications.

      Blame the vendors who write and distribute insecure shovel-ware.

      Blame the sleazebags who make their living infecting innocent people with spyware, or sending spam.

      Blame Microsoft for producing an operating system that is bloated and has an ineffective permissions model and poor default configurations.

      Blame the IT managers who overrule their security practitioners' advice and put their systems at risk in the interest of convenience. Etc.

      Truly, the only people who deserve a complete helping of blame are the hackers. Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and [the] right to privacy.

      --
      "With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
      RFC 1925
    6. Re:Someone should patent blame deflection by Anonymous+Custard · · Score: 4, Insightful

      Blaming "the hackers" for finding and exploiting insecurities in your software is like blaming barking dogs for your insomnia. The dog is just being a dog. Hackers or dogs may or may not be providing you with a service, by alerting you to real trouble coming your way.

      I appreciate my dog who barks when strangers approach the house - hey, it might be a problem, and early warning is useful.

      Similarly, I appreciate hackers who find security holes and report them to the companies responsible.

      I do NOT appreciate dogs who bite my arm and give me rabies just because I wasn't wearing a kevlar protection suit.

      I do NOT appreciate hackers who install spyware on my machine just because I was a day late in applying the latest security patch.

      Just because's a guy isn't wearing a cup, doesn't mean you should walk up and kick him in the groin.

      --
      $8.95/mo web hosting
  2. let's not forget by g0bshiTe · · Score: 4, Funny

    bieng the inventor of said firewall they have most asuredly paid your bills for sometime.

    --
    I am Bennett Haselton! I am Bennett Haselton!
  3. and interestingly enough... by Mz6 · · Score: 4, Insightful
    they're also the ones that keep you and I employed.

    "They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them."

    --
    Hmmm.
    1. Re:and interestingly enough... by Anonymous Coward · · Score: 5, Insightful

      But if they weren't keeping you and I employed we could both be employed doing more productive things.

      It's like saying the vandal who goes around smashing windows is a good guy because he keeps the window repairman employed.

      Old and crusty falacy...

    2. Re:and interestingly enough... by WhatAmIDoingHere · · Score: 4, Insightful

      No, it's not quite like that. It would be more like: If the window repairman developed newer windows that were harder to break. If the vandal never broke the original windows, they would still be as easy to break as they originally were. But now, thanks to the Vandal, they're improved and rock-resistant.

      The "window" tech. isn't standing still as the Vandal runs around breaking them.

      --
      Not a Twitter sockpuppet... but I wish I was.
    3. Re:and interestingly enough... by Zwets · · Score: 4, Funny

      This new kind of window would provide eXtreme Protection. I guess would be called 'Window XP'.

      --
      One of the lessons of history is that nothing is often a good thing to do and always a clever thing to say. - Will Duran
  4. Good God... by aendeuryu · · Score: 5, Insightful

    Rome builds shitty wall, Emperor blames failure on existence of barbarian hordes.

    It'd sound fucking ludicrous to read that in a history book, it's no less ludicrous to read that in a modern context.

    Dude, grow a pair.

  5. "Desire for fun"? Oh please.. by Entrope · · Score: 5, Informative

    Perhaps five or ten years ago it would have been plausible to say that computer criminals were largely breaking into others' machines for fun -- but even then, as Clifford Stoll discovered, there were exceptions. Then it turned into more of an organized enterprise. People controlling most of the infected machines on the Internet are NOT doing it out of curiosity or fun: They are doing it for power, and exploiting that for criminal enterprise.

    In the past years, we have seen profit-seeking criminals discover how useful insecure systems are to them. The major disruptions now are not caused by simple thrill-seekers.

  6. Didn't I just read the Onion? by wubboy · · Score: 4, Funny

    "Truly, the only people who deserve a complete helping of blame are the hackers. Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and the right to privacy."

    Is it just me or does this sound like a Onion story?

    --
    Sit... Speak.... Shake.... Good Dog!
  7. Could not be more wrong by joshv · · Score: 4, Insightful

    Virus writers, crackers and their ilk are the predators and pathogens of the Internet ecosystem. They kill off the weak and make the rest stronger.

    What would you prefer? An Internet full of weak hosts, with a wealth of unexploited security holes and weakly configured security systems, where your security is left up to the good will of others (everybody just play nice now)? Or one where leary vendors and service providers stand in constant vigilance over security issues, because they have to. The wolves are circling the herd.

    What would happen if all the 'hackers' just went away? Everyone would get complacent. Security holes would proliferate, until the temptation just became too large and someone takes it all down in one fell swoop.

  8. Re:He is 100% right by clontzman · · Score: 4, Insightful

    I don't think he's arguing that. He's just saying that the people who are making this trouble are the problem, not the people who are making the software that tries to protect people.

    Just because you park your car in a mall and only protect it with a piece of glass that's easily broken and an alarm that everyone will ignore doesn't make it your fault if someone breaks in and steals your car. It seems like a lot of folks, though, would blame GM for not making steel shields for your windows.

    The virus/worm writers are the problem; how can anyone possibly defend them?

  9. Re:I agree... by Southpaw018 · · Score: 5, Insightful

    If I'm reading that right, you have it backwards - like a lot of people, I think. If, let's say, someone left their front door open and you saw some nice lookin shiny thing while walking down the street, and you went in and took it, then got caught...what would the police say? "Oh, it's not your fault. After all, they left their door open."

    No, while they were idiots for leaving the door open, you were the only one who broke the law.

    The same thing applies here. Because someone or something leaves doors open doesn't mean you can or should enter them. No one has to live with spam merchants - that's why we're taking measures to combat spam on many levels (from the national do not call registry to spam filters on the email system at the office). No one has to live with hackers, either. That's life, but not how you put it; this time, I applied your logic to both sides.

    Can you live with that?

    --
    ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
  10. Re:its the hackers alright! by pixelpusher220 · · Score: 5, Insightful

    Actually I'd say the Hackers probably did us a favor in the long run. How bad would it be if everything were nice and rosy and then organized crime started playing hard ball?

    At least we've had time to learn and understand and actually build tools to help in the defense of our systems. Now if companies ignored the petty hacker attacks that's their own fault, but at least it started with relatively innocuous stuff rather than more heavy duty attacks...


    --
    People in cars cause accidents....accidents in cars cause people :-D
  11. Re:He is 100% right by Daniel_Staal · · Score: 5, Insightful

    He agrees with you. That quote was the last paragraph of the last answer in the interview. Here's the full question/answer:

    If we consider the Internet as a big local network, we will see that some of our neighbours keep getting exploited by spyware, virus, and so on. Who should we blame? OS producers? Or our neighbours that chose that particular software and then run it without an appropriate secure setup?

    There's enough blame for everyone.

    Blame the users who don't secure their systems and applications.

    Blame the vendors who write and distribute insecure shovel-ware.

    Blame the sleazebags who make their living infecting innocent people with spyware, or sending spam.

    Blame Microsoft for producing an operating system that is bloated and has an ineffective permissions model and poor default configurations.

    Blame the IT managers who overrule their security practitioners' advice and put their systems at risk in the interest of convenience. Etc.

    Truly, the only people who deserve a complete helping of blame are the hackers. Let's not forget that they're the ones doing this to us. They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them. They're the ones who place their desire for fun ahead of everyone on earth's desire for peace and [the] right to privacy.

    His point: there is pleny of blame to go around, if you want to spread the blame. The hackers who break in are the reason the rest of the blame matters, but the rest is still there.

    Just in case someone thought you disagreed with him. And because now everyone has read the full context of the quote we are discussing, which will be a rarity on /.

    --
    'Sensible' is a curse word.
  12. Hackers = Canaries in the Coal Mine by thelizman · · Score: 5, Insightful

    Obviously this guy has never heard of espionage. *Most* (not all) hackers/crackers get in, poke around, and leave. I've known a few that actually fix shit on the way out, and leave friendly notes (though I think more highly of the do no harm crowd).

    The *REAL* danger are corporate spies who not only want your secrets, but also plant spyware, or destroy infrastructure to hamper a competitor. There is also the growing instances of state-sponsored computer cracking whereby poorer nations (particularly the axis-of-evil states) seek to leverage the power of attacking information infrastructures instead of the physical infrastructure. Remember, the US didn't take down the Soviet Union by dropping bombs and shooting bullets. We bankrupted their ass in a nice game of 'keeping up with the neighbors'.

  13. Re:Article is not particularly insightful, really by JWW · · Score: 4, Insightful

    What I really find interesting about this Thievs/Hackers analogy is that you never hear people telling the victims of Theives that they should have had three deadbolts on the door, or saying "shame on you you don't have bars on your windows, of course you'll get broken into."

    It never ceases to amaze me how much blame is laid at the feet of the users. I know running an email attachment executable is really stupid, but alot of other exploits are the equivalent of using a crowbar to break your windows. Thieves get serious jailtime and the police work to find them and they are considered the only ones to blame. In the PC realm, hackers go largely uncaught and unpersued by the athorities, and the user gets told its their fault.

  14. Criminal Responsibile for the Crime by zoomba · · Score: 4, Insightful

    He's correct in his assessment of blame. The people who hack systems, break stuff, spread viruses and bot networks etc are 100% responsible for their actions. They are violating laws left and right with no regard for others.

    Yes, insecure code, a lack of a firewall or antivirus software opens you up to potential attacks, or not having the latest security patches. However that doesn't excuse an actual attack.

    By the reasoning of most of the posters here, unless your home is as secure as fort knox, anyone who breaks in and steals stuff isn't really to blame... I mean, come on, you could have protected your house better. Put in pressure plates and motion sensors. Try a laser grid on the floor. Armed guards, time sealed doors, attack dogs etc. Anything less and, geeze, you're practically inviting them in to take your stuff!

    That's what the Internet is like. You really have to lock up your system like Fort Knox to keep yourself safe. Even then, the burglar could find a spot in the security system that isn't fully covered and get in that way.

    The ONLY secure machine is one that is sitting in the corner, surrounded by a lead box, not connected to any network or power supply. A useless machine really.

    Those who attempt to maliciously exploit vulnerabilities deserve every once of blame you can possibly assign to them. I personally want to kick the guy in the balls that did the Blaster worm... took weeks to get my old workplace cleared of that thing. Just because it is POSSIBLE to exploit something does not mean you SHOULD exploit it. Too many people online use the reasoning that if it's possible it should be allowed.

  15. blame everybody by Monofilament · · Score: 4, Insightful

    Security isn't about stopping somebody who wants to be malicious to a system and have fun with that.

    Its about protecting information that you otherwise don't want unauthorized people to have access to. its about espionage, its about privacy. Its about making sure you know if somebody is just looking on your system. Honestly a server can be replaced if it gets fried by some hacker trying to hurt it, and there are backups. But you'd never know if somebody went in and just invaded your privacy and looked at all your things and then left it completely clean right?, not without something like a firewall or some sort of logs and security system set up.

    So yeah go blame hackers for making us think of the idea .. but don't say we wouldn't want it otherwise. Firewalls are a good thing...

    --


    Who makes you Sig?
  16. Re:its the hackers alright! by Thangodin · · Score: 4, Insightful

    Yeah, but there's black hat and white hat. There are people who would hack into a system and leave a note saying "I was here, this is how I got in...fix this!" Then there were the ones who would hack in, delete everything or otherwise fuck it up, and then erase all signs that they were ever there. There are virus writers who write proof of concept worms and viruses to alert people to flaws in their systems, and then there are the script kiddies who have nothing better to do with their time but tweak existing viruses to beat the anti-virus signatures.

    I have no use for destructive hackers. It's much easier to find a hole in a system then it is to anticipate all possible angles of attack. If some ass-hat script kiddy wants to show what a clever boy he is, he should do something useful and become a security consultant. On the other hand, that would take brains and work...

  17. Re:its the hackers alright! by Dogtanian · · Score: 4, Funny

    Yeah, but there's black hat and white hat.

    What about the guy who broke into my computer, erased my copy of Windows and installed Fedora Core in its place?

    I suspect he was a Red Hat hacker, personally...

    --
    "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
  18. Re:straight from Hazlitt by eventDriven · · Score: 5, Insightful

    The grandparent and parent both touch on something important. The vandal/repairman example comes straight from Hazlitt and is indeed an old fallacy. People see the new improved and rock-resistent glass and they say 'now that's progress'. What they don't see is the resources the shopkeeper had wanted to purchase with the money that had to go to the new window. The shopkeeper could have spent that money to become more efficient or expand. Or as in Hazlitt's example, bought a new suit. Then the tailor would have had more resources to put into play.

    The window repairman, much like the parent poster, probably thinks rock-resistant windows and proxy firewalls are an excellent investment. When we look at the long list of technologies that changed the 20th century, many/most were developed at least in part to help wage and defend warfare. One might deduce that warfare is a creator of value. Yet war is always a destroyer of value. It is the allocation of resources that could be more suitably employed.

  19. Re:"Desire for fun"? Oh please.. by sphealey · · Score: 4, Interesting
    There is this thing out there called Google News. You might want to give it a try:
    (IsraelNN.com) The first charges in the "Trojan Horse" mass industrial espionage case, which implicates many of Israel's economic powerhouses, have been filed with a Tel Aviv Magistrate's Court today.

    The charges were filed against the private investigator alleged to have obtained sensitive business information from Israeli businesses illegally by means of a Trojan Horse computer program. He then sold the information obtained to the targeted businesses' competitors.

    It is in fact not teenagers, but directed industrial espionage at best, international espionage at worst.

    sPh