Dusty Old Stuff From the Distant Past

I've been writing articles and doing presentations at conferences for 16 years or so, now! Just to give you some understanding of why I feel ancient: I gave a talk on firewalls at the first SANS conference back when about 200 people attended! The entire conference, that is, not just my talk.

This, then, is the non-chronological and unapologetic dumping-ground for old presentations and tutorial materials. Some of them are as relevant today as they were when they were written. Others are charmingly naive. All I can say is "I absolutely meant what I was saying when I wrote these."

The articles below are in no particular conceptual or cronological order.

What When/Where Why?
Experiences Benchmarking Intrusion Detection Systems 2005, when I was CTO at NFR There was a great deal of scammy fake IDS benchmarking going on, including some outright lies. As usual, the big liars did best.
Everything I have managed to learn in 25 years working in computer security Secure 3/60 Minneapolis 2015 The most important take-aways from my career. In other words, pretty obvious stuff.
Notes pages from my talk at "Spooks and Suits" Arlington 2015 A talk on "what's an attacker going to do about continuous monitoring?" The good news is that a well-established CM practice will help, pretty much no matter what. Everyone else is going to be in trouble.
System Logging tutorial Notes Pages Various, 1999-2005 These are the notes pages from my old USENIX and SANS system logging tutorial.
In Search of "Physical Laws" of Security VASCAN, George Washington University, Virginia, 2006

I believe that there are some underlying "rules" to security that we haven't managed to tease out into the open, yet. The problem is, until everyone understands that certain things are likely impossible or contradictory, the industry will continue to be presented with the security equivalent of "perpetual motion" machines. In this talk I lay out the first axioms - if you accept and extend them, you'll realize that "deperimeterization" and "antivirus" are never going to work.

Dude! Where did my Firewall Go? InfoSec Conference, Dubrovnik, Croatia, 2006

In this talk, I try to explain how the concept of the firewall devolved from being a well-understood device that handled a well-understood set of well-understood protocols into being a device consisting of marketing puffery, a simple packet screen, and a couple of anti-virus - excuse me - "intrusion prevention" signatures.

Some Possible Futures of Computing ISSA Minneapolis Chapter Meeting Keynote, Minneapolis 2005

This is one of the silliest and most fun talks I've given in years. I wanted to prognosticate like a silly "industry analyst" and decided to do like they do and make up a bunch of convenient "facts" to make my argument interesting.

Script Kiddiez Suck BlackHat Briefings 2000 keynote, Las Vegas

The audio for this is also available as an MP3.

In this keynote, I told the hackers and toolz-boyz that what they were doing was not positive and was not appreciated. As you can imagine, the effect of this keynote, in its context, was kind of like if the pope gave a sermon wearing moonies' robes.

Script Kiddiez Suck 2.0 CSI, 2000 Keynote, Chicago

Shortly after the poor reception of my Black Hat keynote (Script Kiddiez Suck) I essayed an oblique resumption of the attack by describing the economics of "who gets credit" in vulnerability disclosure. The premise was that if we removed the economic incentives for hackers to publish vulnerabilities, we'd be able to control the situation. 5 years later, there is no sign that vulnerability disclosure has reached an equilibrium. Several individuals including researchers from @Stake and MITRE proposed formalizing the kind of economy described in this talk.

The Myth of CyberWar Vanguard Security Conference 2004, Reno Nevada

I missed the conference because I took a fall off my horse P-Nut and was on the couch for a few days eating Vicodin.

In this presentation I attack the concept of CyberWar as silly and ineffective for the time being. Note: I am not saying CyberWar is impractical - just that it won't be for a long time. I've gotten a lot of push-back on this topic because there are a lot of true-believers who are making a ton of money (coincidentally) off of scaring people about CyberWar.

Infowar, Infosec, Jobsec White Paper, 1994

When Winn Schwartau published "Information Warfare" all the spooks in the infosec community got very very excited. Why? At the prospect of endless budget, of course! I wrote this white-paper in hopes of getting people to realize that 99% of the targets the infowarriors are talking about are civilian which means that we all need to do some serious thinking about the relationship between cyberwar and state-sponsored terrorism.

Building Policies - a Conceptual Framework Tutorial Notes, 1995 I wrote these as a simple walk-through of the high-level process by which an organization can construct a security policy.
Service-Oriented Requirements Analysis Tutorial Notes, 1995

These tutorial notes outline a methodology for thinking about how to compartment networks and establish a policy for access between them. Today, everyone is talking about "Network Compartmenting" and this was a road-map for doing it that I used to teach analysts at Arthur Anderson's consulting school.

As you may guess, this approach was never popular in the early 1990's when connectivity ruled everything. I am going to wait a few more years, when everyone's networks are compartmented thanks to all the worms and trojans and then I'll say "I told you so." I should have stuck a sexy name on this one, to get people to pay attention to it, because it probably represents the most valuable thinking I've done, especially if you couple it with policy-building methodologies.

Can We Test Firewalls? White Paper, 1995

When ICSA Labs first proposed to test firewall products, I was excited at the prospect. But as I dug into the methods they proposed to use, I was unhappy. It made me think about the whole question of meaningfully testing a product that effectuates an end-user determined policy. I came away unhappy after identifying the paradigm conflict between design-oriented testing and checklist-testing.

This paper foreshadows all my subsequent thinking about Common Criteria.

Censoring the Internet Consulting Presentation, 1995 In 1995, I served as a consultant to the broadcasting administration (read: censors) of a small national government in the far east. They were interested in censoring the Internet and preventing "American Values and Pornography" from tainting their people. This presentation was made to some very senior government officials. Marcus to .gov: "forget it."
Installing the TIS Firewall Toolkit Tutorial Notes, 1992 In 1992/3 I taught a series of classes at MITRE for network administrators working on INTELLINK and other government programs. These were the class notes. To me, they still represent a fundamental view of firewall design. Ironically, I dusted off most of these concepts for my INTEROP/COMDEX tutorial on "Advanced Firewalls" taught in 2004. The more things change, the more they remain the same.
Host Security Tutorial Notes, 1994 A very dated set of tutorial handouts about tools and issues to be aware of for securing hosts. Interestingly, these notes deal only with UNIX systems. That's because, of course, Windows systems at that time had no actual security model at all.
How to Really Secure The Internet Black Hat Briefings 1997 Keynote, Las Vegas

The audio for this is also available as an MP3.

In this keynote I first proposed what is still my favorite idea in security: scrap all the apps and start over again. I modulated the proposal by further suggesting the re-instatement of the backbone cabal and suggested blaming it all on Y2K.

A Taxonomy of Internet Attacks Tutorial Notes, 1994

These tutorial notes were from one of my introductory firewall tutorials and comprised a part of my original SANS Internet Firewalls tutorial. I break down attacks by various types in an attempt to lead the student to figure out which ones are best ameliorated with technology and which respond to knowledge.

Since 1994, I can't think how many times I've tried to explain to people that you don't have to be a hacker to know how to build systems that defeat hackers. In a sense, this presentation was the first shot fired in that long battle. By understanding the fundamental paradigms of attack and defense, one can defend against broad categories of problems - whereas many "security experts" of today are really only concerned with catalogs of detailed nitpicks.

The Fargo Log Analysis Engine Tutorial Notes, 2001

These tutorial notes were never presented anyplace; they represent the existing documentation for the first version of the Fargo log analysis engine that I wrote shortly before quitting NFR. Due to legal headaches I was never able to release Fargo except to a few beta test users and had to kill the project.

The design of Fargo is still way ahead of many systems that are out there. Some of the concepts may be useful to the log analysis reader.

I am hoping to eventually complete Fargo-II which has better algorithms but is conceptually similar.

The HotZone Honeypot Tutorial Notes, 2001

HotZone was a honeypot I was completing for Lance Spitzner and my honeypots tutorial for SANS. Unfortunately, HotZone was killed by legal complications surrounding my departure from NFR. Nobody ever got to see it, and it was only about 3/4 completed when I stopped working on it.

The design of HotZone is straightforward but I wanted to "wrap" it with some strucutred architecture like I did with the Firewall Toolkit. In the best of all possible worlds, I reasoned, system engineers for security products would look at HotZone and say, "Hey, I am going to steal ideas from this..."

The Network is Naked: The Consultant's New Clothes Presentation Notes, 1995 NSA Baltimore conference At the time I gave this talk I had been a consultant for a year, and had been spending most of my time doing firewall audits and web site design reviews. I was appalled to discover that even though firewalls had gotten pretty good, their users were installing them backwards, upside-down, and all manner of other silly things. So I gave a very angry and cynical blast to the assembled "old guard" of security who believed that policies, procedures, and good system design were going to somehow ameliorate a situation that was rapidly getting worse.
Performance Tuning for UNIX System Administrators Tutorial Notes, 1994 I taught this class once at USENIX, and once at Eastman Kodak (of all places!). Back in the day, system administrators actually wanted to understand how the operating system and hardware interacted; this tutorial has no relevance today. Operating systems are bloated bags of pig manure and Moore's law allows them to remain that way and even demonstrate minor performance gains. (Have you ever wondered why it is that if your CPU's speed doubles, your system never appears more than 1/2 again as fast?)
Picking Firewalls ? Conference , 1995 In 1994 I tried to help standardize a firewall selection process with ICSA labs. It turned out to be a bit less successful than we'd all have liked. This wandering presentation discusses some of the reasons why "firewall functional summaries" went wrong and takes a few pokes at the Common Criteria by implication.
Problems With Firewalls ? Conference, ~1997

In this presentation I outline and clarify the biggest problems I see with the concept of firewall - namely:
They let traffic in
They let traffic out

I foreshadow all the tunnelling attacks that are so popular today, and the layer-7 attacks that have been bedeviling the "stateful traffic inspection" products.

Network Police Blotter #1 USENIX ;Login: In this column I describe how complexity and security are opposed.
Network Police Blotter #2 USENIX ;Login: In this column I describe how to do application-oriented intrusion detection, and generally grumble about the quality of software.
Network Police Blotter #3 USENIX ;Login: In this column I describe the philosophy of burglar alarm construction for Intrusion Detection (this is not a new concept; Cheswick and I were talking about it in 1990) Also: how being in computer security is a lot like being a plumber.
Network Police Blotter #4 USENIX ;Login: In this column I talk about hackers and what jerks they really are. "U Help Me I Lame"
Network Police Blotter #5 USENIX ;Login: In this column I attack full-disclosure as being a stupid marketing trick being used to promote security consultants and market products. "Grey Hat Hackers are just black hats with stock options."
Have a Cocktail! ELX Security Magazine In this column written for ELX Security Magazine I liken the "grey-hat" hackers to extortionists and try to build a case for how it's never morally defensible to do what so many "industry luminaries" spend their time doing.
Secure Communications Over Open Networks Tutorial Notes, 1997

I used these tutorial notes to teach a series of classes for USENIX on how to think like a paranoid. It goes into terms of art like "target analysis" (which I am told used to be classified mojo stuff) and covers the gamut from steganography to using PGP over AIM.

This is the tutorial I was giving when I went into the infamous "orbital mind control lasers" rant and finished the tutorial wearing a tin-foil hat made for me by one of the attendees.

A Security FAQ (Frequently Agonizing Questions) ? Conference, 1995 This presentation outlines the political and organizational impediments that combine to make significant improvements to security unlikely. The concepts are still fresh, which is scary, if you think about it for a second.
Tales From The Early Days of The Firewall CyberGuard User Conference, 2004, West Palm Beach

CyberGuard invited me to do a talk on "anything you want" so I dug up a couple of fun factoids from the early days of firewalls. I used this as an opportunity to interview some of the true Old Timers (Bill Cheswick, Steve Bellovin, etc) and had a good time re-hashing old times.

I tried to break things up into an east side/west side perspective. There were really 2 powerhouses at work on firewalls back then: the AT&T gang and the DEC gang. It turns out that the AT&T gang (specifically, Dave Presotto) were way ahead of everyone else.

Security For Software Developers Tutorial Notes, 1996

I used these tutorials to teach a series for USENIX and other conferences. There is some overlap at the beginning with the Secure Communications tutorial, because I wanted coders to have the broader perspective that "it's not just a problem of writing clean code or adding crypto"

When I first taught this class, I had Mudge, Casper Dik, Alec Muffett, Kurt Lidl, and Steve Bellovin auditing the class. They heckled me. It was terrifying. At one point I got cocky and announced "Since all these examples are very carefully constructed, I will buy a pint of beer for anyone who finds a vulnerability in my code." I owed Mudge 6 pints. Alec and Casper and I went to a local bar and drank ourselves senseless on imported British sludge but Mudge appeared immune to beer. A good time was had by all!

Security on Internet Time ? Conference, 1997 Toward the end of the roaring nineties I realized that the rate at which crapware was being shovelled over the fence was going to result in a "software chernobyl" years later. My prediction came true.
Security Trends: Hot Topics ? Conference, 1997 I make a series of predictions about crypto export controls (right) the future of firewalls (right) why code will continue to suck (right) etc - I forget which conference this was for but someone wanted a "visionary talk" -- looking back with 20/20 hindsight, I think I beat Nostradamus hands down.
Are Firewalls Obsolete? Interop, 1996, Las Vegas I got sick of being asked if firewalls were obsolete, or not, and whether I was willing to debate with someone on the topic. So I offered to demonstrate my skills as a public master debater and debated myself. I won by a pretty handy margin...
Smartcards - Issues and Answers ? Conference, 1996

When I was working at V-ONE I drank the smart card kool-ade for a while and got pretty excited about the technology. This presentation predicted that smart cards were going to be useful.

OK, they are useful but for various dumb reasons they still aren't being used.

Sendmail and Firewalls Tutorial Notes, 1994

These tutorial notes were used for DOD customers at the MITRE briefings (Marcus' Elite Ninja Firewall-builder's Class) I outline how to hook sendmail up for firewalling. Given the rate of mutation of sendmail, this material is probably hopelessly out of date.

When this tutorial was written, Postfix and Qmail had not yet been written, so sendmail was still considered a viable option for a secure gateway MTA. That has changed.

DNS and Firewalls Tutorial Notes, 1993 These are tutorial notes from my early firewalls tutorials. In them, I explain the basics of how to do split DNS, and all the inherent ugliness thereof. I also tackle the futility of hiding host names.
Authentication Tools and Techniques Tutorial Notes, 1995 Back when I used to teach firewalls, this was one of the modules I could sometimes draw on. Hard to imagine most network users didn't know what authentication systems were, in those days. They still don't.
A Simple Homebrew VPN ? Conference, 1995 Back in the crypto export control days, a VPN was a heavy-duty military munition. IPSEC was still gestating (it gestated for a long time) in the IETF and every vendor offered incompatible buggy VPN technologies in their firewalls. I cooked up this simple scheme for tunnelling VPN traffic using PPP and PTYs and some kind of tunnel. Updated slightly to use SSH in the late 1990's.
Burglar Alarms For Detecting Intrusions ? Conference, 1998 Tutorial notes for a briefing on the IDS approach of using policy-centric detectors (AKA "production honeypots")

Need I mention that this stuff is all Copyright(c) Marcus Ranum and that all rights are reserved? College kids: Please do not plagiarize my work. You'll just end up with a useless degree you didn't really earn. (Feel free to reference these materials and URLs; articles won't move around much once they've landed here.)