Marcus J Ranum: « I’m not a big fan of humans »


“There is no software to solve social problems”. Marcus J. Ranum takes a critical look at how we approach cybersecurity. We met him at GovSatCom 2019 in Luxembourg.

“There is no software to solve social problems”. Marcus J. Ranum takes a critical look at how we approach cybersecurity. We met him at GovSatCom 2019 in Luxembourg.

Marcus J. Ranum is a global star in cybersecurity, a key player in the industry for two decades. We do not have enough space here to present his entire CV … but he played a major role in the invention of the Firewall and the VPN. He also worked for the White House where he built the first mail server for the domain. He then went on to develop intrusion detection systems. Marcus J. Ranum is also known for his sharp demeanour and outspokenness. He was in Luxembourg for the 2019 GovSatCom conference, held on February 14, 2019. On this Valentine’s Day, he broke the hearts of many cybersecurity lovers. But sometimes a breakup makes you stronger. An Interview with a disruptive and captivating spirit.[DM1]

Mr. Ranum, you do not seem to trust human beings when it comes to ensuring cybersecurity. Is this really the case?

Indeed, I am not a big fan of humans. That’s why I hope that a technological society will soon see the light of day.

You also said that “software cannot solve social problems”. But that the opposite may be possible?

The problem is that people are trying to implement things that correspond to human concerns: more money, more power, more sex … or whatever. We can always try to develop software that prevents people from being greedy. But it will not work if we do not take into account the root of the problem, that is, the economic and political factors that make people behave in this or that way. Look at a phenomenon like cyber-harassment. It’s very interesting to ask why this happens, why people start doing almost anything because they put on a mask and believe in their impunity.

Here at C3, we organize numerous trainings designed to communicate good practices to users. You seem to be saying that training is useless.

Yes. In fact, I did it too. I organized anti-phishing tests, I explained to people that they should not open an email from a bank where they never held an account. But people continue to do it. In fact, I think people should not worry about this kind of thing. The problem comes mainly from a number of features that have been added to our mail clients. For example, when you have a preview of a web page that appears in the email: it is a feature that is absolutely not essential and yet provides a gateway for many attacks.

Dual Use: Is this another “social” problem that computers cannot solve?

Yes. When I was a child, I was a fan of the crusades and of castles and it was at that time that I discovered that a castle is not only an instrument for defense, but that it can also be used to attack. It’s the same concept for a firewall, which is basically a defense technology, but which can also be used to conduct attacks because it makes your own attack undetectable until you actually launch it.

And that’s the problem, because believing that some technologies only work in one direction pushes us to make bad decisions. This is the case, for example, when governments put backdoors in place.

The WannaCry malware that cost the global economy tens of millions of dollars was based on a leaked CIA code. It shows how our weapons can be turned against us. We could also talk about Shamoon, Stuxnet or other famous viruses that have similar stories.

Hacking Back: Do you think we can defend ourselves by conducting counter-attacks?

That doesn’t work! At least, it’s not the right approach. Conversely, what can be useful is counterintelligence and intelligence. Also keep in mind that counter-attacks can be dangerous because by mistaking the origin or the intended target things can go wrong, like in a movie.

National security and cybersecurity: friend or foe?

We need to take a step back from the concept of national security. I think that the challenges of humanity are too important that they should only be addressed at a national level. Nationalism exacerbates the problem of climate change. Humanity must respond to certain challenges by adopting a global perspective.

Cybercrime is mostly transnational. Criminal circles make fun of borders. We must have a global response to cybersecurity. Stop using up incredible sums in a dead-end competition with other nations. I am very concerned to see the progression of nationalism around the world, to the benefit of stupid dictators.

By the way, 20 years ago you worked for the White House… would you do so again with the current president?

I would do it again, without hesitation … And I would install as many backdoors as possible!