Slashdot Log In
Inventor of Proxy Firewall Blames Hackers
Posted by
CmdrTaco
on Wed Jun 22, 2005 08:57 AM
from the get-your-rage-out dept.
from the get-your-rage-out dept.
An anonymous reader writes "SecurityFocus published an interview with Marcus Ranum, the inventor of the proxy firewall. It's an interesting reading, and the end is even better:
Truly, the only people who deserve a complete helping of blame are the
hackers. Let's not forget that they're the ones doing this to us. They're the
ones who are annoying an entire planet. They're the ones who are costing us
billions of dollars a year to secure our systems against them. They're the
ones who place their desire for fun ahead of everyone on earth's desire for
peace and the right to privacy."
This discussion has been archived.
No new comments can be posted.
Inventor of Proxy Firewall Blames Hackers
|
Log In/Create an Account
| Top
| 742 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
|
2
(1)
|
2
its the hackers alright! (Score:3, Funny)
Re:its the hackers alright! (Score:5, Insightful)
At least we've had time to learn and understand and actually build tools to help in the defense of our systems. Now if companies ignored the petty hacker attacks that's their own fault, but at least it started with relatively innocuous stuff rather than more heavy duty attacks...
Re:its the hackers alright! (Score:5, Insightful)
(http://tachyphrenia.blogspot.com/)
I have no use for destructive hackers. It's much easier to find a hole in a system then it is to anticipate all possible angles of attack. If some ass-hat script kiddy wants to show what a clever boy he is, he should do something useful and become a security consultant. On the other hand, that would take brains and work...
Re:its the hackers alright! (Score:5, Funny)
(http://babelfish.alt...%2F%2Fslashdot.jp%2F)
What about the guy who broke into my computer, erased my copy of Windows and installed Fedora Core in its place?
I suspect he was a Red Hat hacker, personally...
Hacker Justification (Score:4, Interesting)
(http://www.dreamops.com/ | Last Journal: Sunday October 02 2005, @10:05AM)
Besides. Hackers have been doing serious damage from day one. Besides just breaking into networks for "curiosity sake" they've been planting worms, trojans, trolling entire credit card data bases, commiting DDoS attacts, etc etc. No, not all of them, but enough to make the OPs point a ridiculous one to even attempt to justify.
Re:its the hackers alright! (Score:4, Insightful)
(Last Journal: Sunday January 28 2007, @05:20PM)
We need to get it through people's heads that everything that's running is a security risk, and if the benefits don't outweigh the risks don't use it, or install it and block it's ports.
Someone should patent blame deflection (Score:5, Insightful)
hackers. Let's not forget that they're the ones doing this to
us. They're the ones who are annoying an entire planet. They're the
ones who are costing us billions of dollars a year to secure our
systems against them. They're the ones who place their desire for fun
ahead of everyone on earth's desire for peace and the right to
privacy."
Ok, but swap a hacker's desire for fun with a software companies
desire to make money without properly taking responsiblity for
securing their product and one could also write:
Truly, the only people who deserve a complete helping of blame are the
software companies. Let's not forget that they're the ones
doing this to us. They're the ones who are annoying an entire
planet. They're the ones who are costing us billions of dollars a year
to secure our systems against them. They're the ones who place their
desire for profit ahead of everyone on earth's desire for peace
and the right to privacy."
It is like a credit card company saying that if someone breaks into
their systems and steals my credit card number, that is my
responsibility - or maybe it is the hackers fault. Well sure, it is
my fault for using a stupid bank, and the hackers fault for committing
the crime - BUT SURELY the bank has to take some fault for making this
whole possible - right?
Re:Someone should patent blame deflection (Score:5, Insightful)
(http://penguin.lvcm.com/)
Cities have legions of building inspectors for just this purpose who's job it is to actually ensure that the tradesmen actually built their part of the house up to the standards set in the local building codes.
They actually have standards in the construction industry.
Re:Someone should patent blame deflection (Score:5, Interesting)
At least a door is an effort at security. Most software makers make no effort. I can prove this by the large list of programs that require me to make hours of phone calls to find all the stupid places they put stuff so my users do not have to run in admin mode in windows.
Re:Someone should patent blame deflection (Score:5, Insightful)
In a way, hackers are kind of pointing out that the emperor has no clothes.
With that said, I, personally, find nothing wrong with a hacker trying to figure out an application / OS's vulnerabilities and sharing them with the developers. And if they do nothing about it, share it with the rest of the world to force them to. People deserve doors to have doorknobs and doors that have locks. People also deserve software that doesn't leave their anal cavity wide open for nefarious probing.
However, the hackers who run amok trying to fuck things up as much as possible for the sake of fucking it up (more script kiddies than hackers, but to the average person, they're the same); they still need to be blamed. They're still the primary culprits. But software companies can be extremely negligent at times, and thus, they bear some responsibility too. Responsibility isn't finite; just because we have two parties doesn't mean the major culprit receives any less of the blame.
And I'm rambling, again. I'm sorry.
Re:Someone should patent blame deflection (Score:5, Insightful)
(http://slashdot.org/)
We're born into this imperfect world and should expect nothing less than we've already been born into. The lock was invented before anyone presently reading this was born. This is a clear indication of the state of things and in my opinion, the nature of humans... or animals for that matter. (Raccoons, monkeys and other creatures are famous for stealing things too!)
The individuals responsible are individually responsible for their own actions and should be held accountable. But the reality that should be mentioned and understood is that we're in a world where people do shit to each other.
In that climate, we look to software makers to make reliable products. We want them to be able to withstand the efforts of the rest of the world doing what it is that's natural for them to do. It is not an impossible task. It has been shown through the virtue of patches that it can be done and since it can be patched it could also have been done right the first time had they only taken the time and effort to write it correctly to begin with.
Re:Someone should patent blame deflection (Score:5, Insightful)
(http://www.dreamhost.com/r.cgi?39901 | Last Journal: Tuesday August 03 2004, @11:07PM)
I appreciate my dog who barks when strangers approach the house - hey, it might be a problem, and early warning is useful.
Similarly, I appreciate hackers who find security holes and report them to the companies responsible.
I do NOT appreciate dogs who bite my arm and give me rabies just because I wasn't wearing a kevlar protection suit.
I do NOT appreciate hackers who install spyware on my machine just because I was a day late in applying the latest security patch.
Just because's a guy isn't wearing a cup, doesn't mean you should walk up and kick him in the groin.
Re:Article is not particularly insightful, really (Score:5, Insightful)
It never ceases to amaze me how much blame is laid at the feet of the users. I know running an email attachment executable is really stupid, but alot of other exploits are the equivalent of using a crowbar to break your windows. Thieves get serious jailtime and the police work to find them and they are considered the only ones to blame. In the PC realm, hackers go largely uncaught and unpersued by the athorities, and the user gets told its their fault.
Re:Someone should patent blame deflection (Score:5, Insightful)
(http://www.tlarson.com/)
Perhaps you should RTFA--no, really. The article was very reasonable and well-written. The synopsis was not. Here's the context from which the quote you refer to came--
Blame Canada (Score:3, Funny)
let's not forget (Score:5, Funny)
I agree... (Score:3, Interesting)
(http://www.igrill.co.uk/)
Yes hackers are a pain in the arse, so are spam merchants. Thats life, live with it.
In other news the inventor of the Yale lock blames thieves for the invention of the lock, which irritates us daily.
Re:I agree... (Score:5, Insightful)
(http://www.civilwar.org/ | Last Journal: Tuesday September 05 2006, @07:45PM)
No, while they were idiots for leaving the door open, you were the only one who broke the law.
The same thing applies here. Because someone or something leaves doors open doesn't mean you can or should enter them. No one has to live with spam merchants - that's why we're taking measures to combat spam on many levels (from the national do not call registry to spam filters on the email system at the office). No one has to live with hackers, either. That's life, but not how you put it; this time, I applied your logic to both sides.
Can you live with that?
and interestingly enough... (Score:5, Insightful)
(Last Journal: Friday June 18 2004, @11:45AM)
"They're the ones who are annoying an entire planet. They're the ones who are costing us billions of dollars a year to secure our systems against them."
Re:and interestingly enough... (Score:5, Insightful)
It's like saying the vandal who goes around smashing windows is a good guy because he keeps the window repairman employed.
Old and crusty falacy...
Re:and interestingly enough... (Score:5, Insightful)
(http://www.encyclope...i_herd_u_liek_mudkip)
The "window" tech. isn't standing still as the Vandal runs around breaking them.
Re:and interestingly enough... (Score:4, Funny)
(http://www.gwtp.net/)
Re:straight from Hazlitt (Score:5, Insightful)
The grandparent and parent both touch on something important. The vandal/repairman example comes straight from Hazlitt and is indeed an old fallacy. People see the new improved and rock-resistent glass and they say 'now that's progress'. What they don't see is the resources the shopkeeper had wanted to purchase with the money that had to go to the new window. The shopkeeper could have spent that money to become more efficient or expand. Or as in Hazlitt's example, bought a new suit. Then the tailor would have had more resources to put into play.
The window repairman, much like the parent poster, probably thinks rock-resistant windows and proxy firewalls are an excellent investment. When we look at the long list of technologies that changed the 20th century, many/most were developed at least in part to help wage and defend warfare. One might deduce that warfare is a creator of value. Yet war is always a destroyer of value. It is the allocation of resources that could be more suitably employed.
He is 100% right (Score:3, Insightful)
(Last Journal: Friday December 24 2004, @08:49PM)
But it is also our own responsibility to be sure that we can prevent people from taking advantage of us. This means that we must have those locks and firewalls. To neglect this is to essentially invite attack and intrusion. And if it isn't at the hands of one group, it will be at the hands of another.
We don't live in a perfect world, so it's important that we have adequate locks.
Re:He is 100% right (Score:5, Insightful)
(http://www.clontzville.com/)
Just because you park your car in a mall and only protect it with a piece of glass that's easily broken and an alarm that everyone will ignore doesn't make it your fault if someone breaks in and steals your car. It seems like a lot of folks, though, would blame GM for not making steel shields for your windows.
The virus/worm writers are the problem; how can anyone possibly defend them?
Re:He is 100% right (Score:5, Insightful)
He agrees with you. That quote was the last paragraph of the last answer in the interview. Here's the full question/answer:
His point: there is pleny of blame to go around, if you want to spread the blame. The hackers who break in are the reason the rest of the blame matters, but the rest is still there.
Just in case someone thought you disagreed with him. And because now everyone has read the full context of the quote we are discussing, which will be a rarity on /.
Good God... (Score:5, Insightful)
It'd sound fucking ludicrous to read that in a history book, it's no less ludicrous to read that in a modern context.
Dude, grow a pair.
Re:Good God... (Score:4, Insightful)
(http://www.ajs.com/~ajs/)
He's not deflecting blame, he's pointing out that blaming your neighbor or your vendor is fine, but the lion's share of the blame for intrusions belong's square in the lap of the intruder.
To quote TFA:However, I'd like to point out that I disagree with something fairly fundamental in what he's saying. The people who are "annoying us" make us build better security, and I'm much rather have a numbskull try to poke at my security for bragging rights than have nothing for years and then a series of well-organized, well-hidden attacks that gain long-term access to sensitve data. I don't enjoy having to secure networks against boneheads, but I don't blame them for having to build good security, that should have been done from the day the first machine sent out a set of voltage modulations that could loosely be called "IP".
"Desire for fun"? Oh please.. (Score:5, Informative)
(http://www.gamesurge.net/)
In the past years, we have seen profit-seeking criminals discover how useful insecure systems are to them. The major disruptions now are not caused by simple thrill-seekers.
Re:"Desire for fun"? Oh please.. (Score:4, Insightful)
(Last Journal: Thursday February 17 2005, @12:20PM)
Please name one serious, high-profile hacking case (to include authoring viriii & worms) in which the perpetrator was caught and didn't turn out to be a teenager or a still adolescent 20 something.
Inside jobs don't count.
I'm sure there must be a few but I honestly can't think of any.
Not to say that there aren't real bad guys out there... they just don't seem to get caught despite all the money thrown at computer and network security.
Speaking as a sys admin for almost 20 years, most hacking has been a source of annoyance (and sometimes amusement) rather than serious damage. The oft quoted "billions & billions of damage due to hackers' is a load of crap as far as I can tell. Kind of ike the y2k bug was.
They don't frighten me. The internet was never designed for privacy to begin with. If that's your aim then paying to "hack in" extra security is the price you pay.
And you know what...? sometimes the cure is even worse than the disease.
I read somewhere recently (sorry, can't remember where) where someone (a security "expert"?) criticized a nuculear power plant's network security by saying something along the lines of "they're so backward they aren't even connected to the internet". Sounds like good security to me.
Re:"Desire for fun"? Oh please.. (Score:5, Interesting)
sPh
Re:He means crackers right? (Score:4, Insightful)
(Last Journal: Thursday January 05 2006, @07:19AM)
criminal hacker == hacker therefore
criminal hacker == hacker
Didn't I just read the Onion? (Score:4, Funny)
(http://www.thecomputerbarn.com/)
Is it just me or does this sound like a Onion story?
Could not be more wrong (Score:5, Insightful)
What would you prefer? An Internet full of weak hosts, with a wealth of unexploited security holes and weakly configured security systems, where your security is left up to the good will of others (everybody just play nice now)? Or one where leary vendors and service providers stand in constant vigilance over security issues, because they have to. The wolves are circling the herd.
What would happen if all the 'hackers' just went away? Everyone would get complacent. Security holes would proliferate, until the temptation just became too large and someone takes it all down in one fell swoop.
Re:Could not be more wrong (Score:4, Insightful)
No, these are the ticks, the mosquitoes, the starlings. They annoy the shit out of the system, occaisionally cause or induce actual harm, but are for the most part really just benign, in the grand scheme of things.
The real wolves are the RIAA/MPAA, corporate agriculture, "Free Trade" advocates, Brazilian soy bean farmers, squeeky wheel Revelationists, neo-Talibanists in the US, etc., a culture that seems to know the price of everything and the value of nothing, and Congresses (US and EU) that values their corporate ties more or less above all else, and has forgotten that its job is not to get itself reelected, but to serve the people of the US and country, not serve the companies that serve the people.
boo-hoo-hoo (Score:3, Insightful)
If there weren't any burglars around, I wouldn't have to lock the doors of my house.
If everyone would abide traffic rules, the need for airbags etc. would vanish.
This guy is not only complete missing any connection with the outside world, he also forgets that there are thousands of people working in the (IT) security industry, making a living. It may sound silly, but we keep our economy going this way. This is why there are so many economists/therapists/lawyers/communication advisors/etc. around.
I feel like feeding the troll here. Time to knock it off...
Lord of the Walls (Score:3, Funny)
*gollum, gollum*
Hackers = Canaries in the Coal Mine (Score:5, Insightful)
(http://www.andrewkrause.com/)
The *REAL* danger are corporate spies who not only want your secrets, but also plant spyware, or destroy infrastructure to hamper a competitor. There is also the growing instances of state-sponsored computer cracking whereby poorer nations (particularly the axis-of-evil states) seek to leverage the power of attacking information infrastructures instead of the physical infrastructure. Remember, the US didn't take down the Soviet Union by dropping bombs and shooting bullets. We bankrupted their ass in a nice game of 'keeping up with the neighbors'.
In a related story (Score:3, Funny)
Criminal Responsibile for the Crime (Score:5, Insightful)
(http://www.evilsysadmin.net/)
Yes, insecure code, a lack of a firewall or antivirus software opens you up to potential attacks, or not having the latest security patches. However that doesn't excuse an actual attack.
By the reasoning of most of the posters here, unless your home is as secure as fort knox, anyone who breaks in and steals stuff isn't really to blame... I mean, come on, you could have protected your house better. Put in pressure plates and motion sensors. Try a laser grid on the floor. Armed guards, time sealed doors, attack dogs etc. Anything less and, geeze, you're practically inviting them in to take your stuff!
That's what the Internet is like. You really have to lock up your system like Fort Knox to keep yourself safe. Even then, the burglar could find a spot in the security system that isn't fully covered and get in that way.
The ONLY secure machine is one that is sitting in the corner, surrounded by a lead box, not connected to any network or power supply. A useless machine really.
Those who attempt to maliciously exploit vulnerabilities deserve every once of blame you can possibly assign to them. I personally want to kick the guy in the balls that did the Blaster worm... took weeks to get my old workplace cleared of that thing. Just because it is POSSIBLE to exploit something does not mean you SHOULD exploit it. Too many people online use the reasoning that if it's possible it should be allowed.
Say hello to evolution (Score:3, Interesting)
(http://maraist.homelinux.com:5180/)
A patron is looking for a good deal, and will expend effort to maximize their deal, so sloopy wording on a sign on your store-front are invites to a natural onslaught of fiscal frustration. By natural, I mean there is no evil intent in people trying to keep you for your word in maintaining a good bargain (that you didn't intend).
If there is money on the street, it is conceivable that:
a) the original owner will never find it again
b) someone else will take the money
So you justify taking the money yourself.
If you are hungry, you might be inclined to take two samples at a free food-sample kiosk. It's unfair as it goes beyond the intent of "sampling" and takes away from other's (since there is usually a set amount of sample provided for the day).
In reality, those that are sheltered from such harsh survival of the fittest environments will EVENTUALLY meet with that environment.. It is impossible (short of death) to avoid it. Thus the question is not IF we will meet our challenges, but when, and how quickly will the difficulty level rise.
For those with assets we fear to loose (time,money,posessions,intellectual property, etc), it is natural for them to be saught by others. Having a public wiki is valueable advertising real-estate (or a personal repository for globally accessible content). So grafiti, being merely a primitive form of marketing, is bound to happen. Bank accounts are an obvious point of content.. If you happened to come across money on the street, you are more than likely to take it. If your ATM machine started allowing you to withdraw cash w/o deducting from your bank account, there is a better than likely chance that you'll take advantage (anonymous theft when it is considered to not overwhelmingly harm someone else - proportionate loss/gain - is often self justified). There isn't much difference from taking from that ATM machine and taking from an online bank account that you've happened by. Yes there is a greater issue of proportionality (you might be stealing from someone poorer than you), but you might think to yourself (I'm teaching them a lesson).. What-ever the cause, an otherwise moral man may find themselves tempted.. To say nothing of the mafia.
And ultimately organized crime is the tyrannasauras of our internet age. The mafia being only one form of it (unfriendly governments being an even more serious threat). The age of mafia and internet "WAR" (literally between nation-states) is only a matter of time.
So if our "evolution" through natural selection and adverse environment does not "toughen" us enough to sustain such natural phenomena, then we will die (or at least the medium will die).
So lets look again at these "evil" hackers. Many of the hackers were self-professed white-hackers, or anonymous exposers. If you are inclined to see if a WEB-INF directory or IIS-specific file-set are visible on a public site, you can either email their sys-admin who might sue you for hacking, or simply ignore you (like MS tries to do with serious security alerts so long as the general public is oblivious), or you can make it a priority for them... Deface their web site, delete lots of their database records.. Make it too expensive for them NOT to resolve the issue.
These are altruistic people. Slightly less altruistic are those that advertise themselves 3l33t hacker-names advertised here and there. As they have the fun and recognition-factor of it all (especially if they get CNN coverage).
Embrace th
blame everybody (Score:5, Insightful)
(http://iammikesdomain.com/ | Last Journal: Monday March 03 2003, @01:13PM)
Its about protecting information that you otherwise don't want unauthorized people to have access to. its about espionage, its about privacy. Its about making sure you know if somebody is just looking on your system. Honestly a server can be replaced if it gets fried by some hacker trying to hurt it, and there are backups. But you'd never know if somebody went in and just invaded your privacy and looked at all your things and then left it completely clean right?, not without something like a firewall or some sort of logs and security system set up.
So yeah go blame hackers for making us think of the idea
Inventor of proxy firewall - takes another toke (Score:4, Insightful)
(Last Journal: Tuesday August 17 2004, @02:46PM)
How can someone be clueful and clueless all at once... Desire for fun....that did not steal 40 million credit card numbers. Everyone on Earths desire for peace and right to privacy? Tell that to the Chinese who are told what ports they can or can not secure to allow for "public monitoring" This guy is lost.
bullshit (Score:4, Insightful)
Security isn't an accidental byproduct of software, it is one of its primary functions; if software doesn't provide security, then it is defective. That's just like if you buy a padlock, you have an expectation that it actually works as a lock. The padlock manufacturer can't say "oh, well, our padlock doesn't work, but that's really the criminal's fault".
Any vendor that puts out software that contains easily avoidable security holes (like buffer overflows, backdoors,
Blame vs responsibility (Score:4, Insightful)
(http://irc.macintosh.efnet.com/ | Last Journal: Sunday July 04 2004, @07:33PM)
This sounds merely like an argument for altruism and security thru obscurity (which of course doesn't work). Why would a company try to harden against problems, even if caused my a mistake, if there is never any pressure to think there would be a need?
Would a civilization wonder if there is anyone else out in space if they can see no stars? Problem is without external pressure, people get sloppy. Of course people are sloppy to begin with. Imagine the extent of the credit card problems we have seen in the past months if there was no security at all? Its a poor argument really.
UberMUD & UnterMUD (Score:3, Interesting)
Thought I'd mention a bit of history (long since forgotten) that Marcus Ranum was also the author of the UberMUD and UnterMUD, mud engines. Two very nice mud cores, written in K&R C that ran on Ultrix. Both had their own strengths and weaknesses. UberMUD was my favourite, as it had its own scripting language called "U". UnterMUD didn't so it was harder to develop on, but its filestore backend was much smarter than Uber's. A union of the two would have been the perfect MUD engine IMO.
This strikes me as whining... (Score:3, Insightful)
(http://etherplex.org/)
600 Fucking Posts and Nobody RTFA! (Score:3, Informative)
Get over the last paragraph, morons, and RTFA!
It's FAR more insightful than any of the comments I've seen bitching about the "blame hackers" paragraph - which was preceded by "blame everybody else" sentences anyway.
You guys sound like the big media press whenever somebody gets caught faking or running false stories - "Oh, woe is us! Somebody is blaming us for being idiots! We're such a poor, put-upon industry!"
Deal with it!