Schneier and Ranum on Face-Off Video

Marcus Ranum and I did two video versions of our Face-Off column: one on cloud computing, and the other on who should be in charge of cyber-security.

Posted on May 22, 2009 at 2:33 PM • 14 Comments

Comments

RexMay 22, 2009 8:04 PM

Interesting discussion. (However, I would recommend changing how you're seated, since it's a bit awkward for you to both be making no eye contact with each other when you're conversing.)

Maxwell SmartMay 23, 2009 1:18 AM

and Ranum's credibility is from what? he coded a firewall and has an ego.

'has been'.

supachupaMay 23, 2009 1:35 AM

Cloud computing is just a buzzphrase for outsourcing virtual machine support and sharing computing resources. Nothing new here.

As pointed out, you have to trust the provider... otherwise you have to choose to stay in house.

This goes points us to the never-ending cycle of where the best skills lie. Should we expect that our in house staff are incompetent and that the larger organisations have all the best skills to provide us secure and robust environments? Who should we trust the most?

I'd suggest that it depends on the economic cycle. In times of boom, the larger organisations will attract the best skills by paying higher, however as demand increases for more workers, they are forced to recruit anyone with a heartbeat. In times of bust, the skills will recede back to the smaller organisations.

By staying flexible and portable you can deal with both cases. I don't buy in to the fear that Amazon or whoever is going to hold your data hostage. As part of your business continuity management, it should be determined how access to your data (backups, etc) will be obtained in the event that you need to build-out your infrastructure in-house or elsewhere.

So just like your internal IT staff, you should trust these providers to do their jobs. You should also have controls in place for mitigation so that your business can continue in any reasonably possible scenario and you can recover lost revenue and reputation funds if they f* up.

Sitaram ChamartyMay 23, 2009 1:57 AM

is there a text/html version somewhere I can send off as a link or quote from in an email (with attribution of course)? This video said all the things I've said at $DAYJOB in a certain internal discussion, but it also has more things and they're said more pithily :-)

John ConnorMay 23, 2009 6:28 AM

Hey, isn't Marcus Ranum that guy from the Terminator Salvation movie? Don't trust him Bruce! I think he might be a cyborg!

Jim GoltzMay 23, 2009 12:23 PM

I used to work for Marcus. He's definitely not a moron. In fact, these two discussions are only nominally "head-to-head". Sounds like Mr. Schneider and Mr. Ranum are actually in agreement on key points.

Ranum FanMay 25, 2009 10:51 PM

Government security and government budgets are the same problem. Ooops we screwed up, this means you have to give up more money. Yes, we do reward failure. I agree with Ranum, we need to change the reward in order to change the outcome.

BF SkinnerMay 27, 2009 6:28 AM

@gregg dourgaira "Under-mentions the frequency of in-house fail."

So how much worse when you transfer your critical data to someone else's house?

The problems we've seen on applying security to the cloud is partly everyone's been saying it's new! WOW! and we're like, how! In what Way! So, like, we're a little confused.

Our biggest tactical problem has been to establish a system boundary and data flows. Most cloud vendors (at least to non-Gov't people and orgs) only promise to present your data when asked. They don't committ to a specific set of physical hardware, data instances, and geographic locations.

Unless things have changed and I didn't get a memo these are elements necessary to complete a risk assessment and plan for security and contingencies.

gregg dourgarianMay 27, 2009 8:30 AM

@BF Skinner
Here's the memo: it's safer to fly from Minneapolis to LAX than to drive there yourself.

The airline doesn't commit to physical hardware or specific pilots or route. We don't get a complete risk assessment or plan for security and contingencies.

We just know you're more likely to crash falling asleep through Omaha than anything the airline might encounter.

To be fair it seems your post addresses a much higher level problem than mine which is about what most organizations and in particular SMEs face.

The 'faceoff' didn't address the elephant in the room, self-host fail.

BF SkinnerMay 27, 2009 5:34 PM

@ gregg dourgarian

Oh THAT memo. Sure THAT memo I got. I mean who DiDNT get that memo. I stopped driving through Omaha for that reason...Oh heck I stopped driving through Oklahoma.
No loss. GREAT risk reduction.

Must have been a meeting I missed.

The case (my case), as you acknowledge) is slightly different in that the risk is born individually by passengers and collectively by airline agents, insurance agents and government regulators. A single breach of data is of lower impact to an individual than it's host organization/providers.

The provisioning of the services to individuals/small orgs may not have been explicitly defined but both Bruce and Rumun did start talking to it when he said that give a company your data they OWN your data. Leave a cloud contract and who keeps a copy of your data?

This all needs diagramming! Where's my white board! Why doesn't UML let me describe these abstraction differences. ARrrggh

security-gurus-R-usOctober 25, 2011 7:55 PM

@Maxwell Smart

You are correct. Mr. Ranum is an extreme ego-centric "self-proclaimed" security expert who coded a firewall back in the 80's (derived from others) who tried to start a company based on IDS software (derived from others who didn't have the time to develop it themselves - all of its entirety was discussed and designed by top researches relaxing in a jacuzzi at a USENIX conference... (lots of witnesses)).

Can't blame him for trying to profit off of the ideas of the masters, but to try to call or imply of himself as one? Heh.

He may have a thought or two on why certain security elements don't fundamentally work (i.e. ftp protocols), his negative and cynical views with a lack of innovative solution impedes any true progress which is a true shame (i.e. TED talk, anyone? who goes to TED to COMPLAIN about technology from ages past and NOT OFFER SOLUTIONS?).

How about his book "The Myth of Homeland Security"? How much more in the way of solutions CAN'T this guy offer?

He gets SOLICITED press, but provides only massive, across-the-board, defeatist cynicism, based off of his OWN limited, negative, real and perceptual experiences, always offer ZERO in the way of functional solutions.

Yet, I am always hopeful to be corrected. I hung in there through his latest endeavor at NFR, until I heard he was prone to waltzing around his office punching holes in the walls until the board dismantled him from his role.

I believe he works for Ron Gula now (which is odd - I think if you search the old log files from the late 90's he was at nasty "odds" with Ron over the mere fact that Ron had registered and started networkwizards.com (I think? or something akin... memory's shot but search is intact) because Ranum had registered and started up firewallwizards.com ages before. (yes, it's true - let the records show)

My "understanding" is that he even wrote and thoroughly documented his entire wikipedia page under a pseudonym and vehemently denies it on wikipedia when questioned (as the pseudonym!) and if you do not register when questioning him (ahem, his pseudonym) and he gets in a heated debate, he will argue to get the posts deleted.

I read one several years back that mysteriously disappeared that was logged to an i.p. address rather than a registered user.

Enough ranting and time wasting on him and this topic.

Had to blow off steam. Sick of posers and "self-proclaimed" experts prancing around like they're the end-all-be-all when there are so-many-more that have come before and so many more that have come after that can cut, slice and dice without having to shout about it to get attention and undue recognition.

Especially someone with his ego.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..