Interview with Marcus Ranum in IEEE Security and Privacy

The latest issue of IEEE Security and Privacy features an interview (only accessable if you subscribe to IEEE) with Marcus Ranum (the firewall guy). He makes some specific claims in it which I strongly disagree with.

First, he criticizes Microsoft for constantly enhancing their products with new features, which of course result in new security vulnerabilities. He compares this to a website which he made a long time ago, which was really small. The result of the website? Well it's still up today and they never needed to patch it. Talk about bad analogies. Does anyone remember Windows 3.1.1? I do. It sucked. Let's say for the sake of argument that Windows 3.1.1 was hypersecure, would you be willing to trade it for Windows XP (or even Windows ME or whatever other Microsoft security disaster)? I know I wouldn't (which is why I use Mac OS X: it may be terribly insecure, but I like using it). Security is not a goal, security is a non-functional requirement which is very important. More important, however, is that the software has functionality that users need. Requirements also change over time: the website he made may be secure, but it was obviously for a company that is not evolving rapidly. When Office was first released, you couldn't use it to create web pages and saving everything as a Word document was fine. Nowadays people expect to be able to save their files as html or pdf (does Word support this natively these days?). New requirements mean new features which mean new security vulnerabilities. There's no getting around that, unless you are happy with stone age systems. For people that have reliability as an absolute requirement, this may be acceptable. For the rest of us it is not.

He also talks about hackers and if they weren't around that the computer industry would be unnecessary. This seems a lot like overgeneralizing: sure there are hackers that break into systems just for the sake of breaking into them. But there are many that also (or just) like security and like finding bugs. While I agree that the term hacker has lost it's original meaning; it is not just someone who breaks into systems (and from what Ranum says in the interview, he doesn't think so either). He compares hackers to burglars: no burglars, no need for locks. How many burglars are there that go around pointing out the ways one can break a lock and try to get the vendors to fix them? I can't think of many (this type of hacker would fall under Ranum's use in the interview when he says that hackers are asking "for us to thank them"). First he talks about all the damage hackers do, then he claims that hackers are asking for gratitude. Obviously the hackers that purely break into systems for whatever reason are not the ones asking for the gratitude. The ones that report the vulnerability rather than keeping it quiet and using it for their own purposes are the ones we should be thanking.