Ranum's Rants

FUDwatch: Armenia

by Marcus J. Ranum
May 3, 2013

For a field that loves statistics, computer security sure treats them casually. In order to get my humble BA in Psychology, I absorbed my share of course hours in statistics and testing methods, including a set of lectures based upon Darrell Huff's brilliant book, "How to Lie with Statistics" - which I highly recommend. It's fun easy reading satire - those lectures had the effect of making me hyper-skeptical about any large, round, number that's thrown my way.

The Big Red Button and the Kill Switch

by Marcus J. Ranum
April 25, 2013

I have no idea if I had a role in the "Internet Kill Switch" debacle, but it's possible that I was one of the pushes that got that particularly horrible ball rolling. Back in 2002, when I was between jobs, I did a talk at CSI in Chicago, about the need for organizations to be better able to react to attack, especially if they were part of critical infrastructure. At the time, I was concerned particularly with denial of service attacks; I had been thinking about them and had concluded that it's never going to be possible to completely prevent such attacks.

Recap: Geeking Out II with Marcus

by Marcus J. Ranum
April 15, 2013

Ron and I spent most of the webcast rotating around the theme of detection algorithms: how do you determine what is normal and what is not? We started off with one of my favorite questions, "Are there only two algorithms? Statistics - of some sort - or matching?"

New "Geeking Out" Interview Series

by Marcus J. Ranum
March 19, 2013

In case you didn't know, I have been hosting a series of "Geeking Out..." interviews, with a couple of my friends in the industry. What I want to do with the series is conduct focused interviews with practitoners who are out there dealing with the tough problems in our field; I'll ask them what works and what doesn't and why, and we'll all get a chance to learn and have an interesting conversation.

Comments and Commenting Policy

by Marcus J. Ranum
March 7, 2013

I believe that one of the things that gives a blog life and interest is its commentariat. This is not a free-for-all zone, however, so comments are moderated (for appropriateness, spam blocking, etc). The comment area is intended so you can talk amongst yourselves, though I'll try to review it and may respond occasionally.

Information Sharing: Learn From Past Mistakes

by Marcus J. Ranum
March 7, 2013

I've been asked repeatedly for my opinion about the APT1 report, and every time I try to respond I find myself waffling. The reason is simple: I think the report is a good thing, a sign of deep dysfunction in security, a stimulant to information sharing, an indicator of failed foreign policy, a brilliant marketing maneuver and a bit of business as usual. It's hard to pull those together into a simple, "yes, it's a good thing!" answer.

Not All ‘Cybers’ Are Created Equally

by Susan Brown
February 29, 2012

By Marcus Ranum, Tenable CSO

What do these four terms have in common?

Cyberwar, Cybercrime, Cyberespionage, and Cyberterror.

  • They all start with the word ‘Cyber’
  • They’re all bad stuff
  • And they’re all consistently confused with each other, despite significant differences (and sometimes conflicts) between them

    Many people already know my position on ‘Cyberwar’ but things have changed significantly over the past four years in IT and physical security, technology, the government, and the military. The actual ‘Cyber’ landscape is much more nuanced than many seem to realize, which has created an unnecessary public perception of extreme vulnerability (which can lead to fear, which can be dangerous).

    Your APT Anti-Hype

    by Paul Asadoorian
    March 1, 2010

    In the interest of helping you cope with the "APT" hype, I thought I'd offer a few observations and ideas about things you can do that might actually help. After all, it's too easy to point and shout "hype" - the truth is that there is a problem, and system and network administrators who are concerned with security do have to worry about long-term embedded penetrations in their network.

    There are two primary approaches to Intrusion Detection and they both work. But, they work against different threats, for different reasons. One is the 'classical' IDS approach: know what attack looks like, and look for the attack. That's what most of the signature-based IDS do, and they're good at it and therefore they are useful. The second is the 'analytical' approach (what Richard Bejtlich, in his excellent books, calls "network security monitoring"): know what your network and systems usually do, and begin an investigation if you see them suddenly start doing something new. As with everything, there are trade-offs. Some people would say that the first approach has a problem of "too many false positives" although, seriously, if your network is carrying such a large amount of apparently hostile traffic that your IDS is constantly ringing off the hook, I think you've already got a serious problem. The second approach has the problem that "start an investigation" may be outside the purview, skill set, or energy level of many system/network managers - especially now that the typical system/network admin is chief cook, busboy, and bottle-washer all rolled up in one.