REVIEW: "The Myth of Homeland Security", Marcus J. Ranum

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Jan 23, 2004.

  1. BKMYHLSC.RVW 20031124

    "The Myth of Homeland Security", Marcus J. Ranum, 2004, 0-471-45879-1,
    %A Marcus J. Ranum
    %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
    %D 2004
    %G 0-471-45879-1
    %I John Wiley & Sons, Inc.
    %O U$24.99/C$37.50 416-236-4433 fax: 416-236-4448
    %P 244 p.
    %T "The Myth of Homeland Security"

    Regular readers of the RISKS-FORUM Digest come to know a number of
    phrases that are repeated over and over again, in assessing risks and
    problems in technical systems. One is "single point of failure" and
    another is "cascading failure." Yet another, and the one that Ranum
    seems to be concentrating on, is "protecting against the wrong
    threat." The book starts out, in "It's Another Code Orange Day,"
    noting that the vast new machinery of airline security has not caught
    any terrorists, and also notes that the defenders are completely

    Chapter one asserts that Homeland Security is (along with a number of
    other similar terms) a convenient invention. Information warfare is
    derided as such a device, and although I could agree in terms of books
    such as Erbschloe's (cf. BKINFWFR.RVW), I don't think Ranum gives
    enough thought to the work by Dorothy Denning (cf. BKINWRSC.RVW). The
    one myth that the author attacks in chapter two is of superior
    attackers and defenders. The anti-FBI stance is somewhat overblown,
    even though there are numerous examples to support it, both in the
    book and elsewhere. Politics, in chapter three, is mostly about the
    PATRIOT Act (and finding out that it stands for "Provide Appropriate
    Tools Required to Intercept and Obstruct Terrorism" is almost worth
    the price of the book all by itself), although Ranum's seemingly
    deliberate attempts to avoid being politically pigeon-holed make it
    difficult to determine exactly what his point is. Merging inefficient
    agencies is unlikely to help things, as is pointed out in chapter
    four. Immigration, in chapter five, looks at weak borders (and, rather
    ironically, Ranum seems to be promoting the myth of terrorist entry
    through Canada), but the text also admits that the 9/11 attackers all
    had valid visas, and ultimately suggests no solutions. Chapter six
    notes that TSA (Transportation Safety Administration) salaries are
    higher, and hiring requirements more stringent, than before (and the
    book has previously indicated that TSA personnel are more
    professional), but Ranum points out a few instances of hiring
    irregularities, and then flatly states that airport security is a
    sieve. He is also seemingly inconsistent in his positions, arguing
    generally against biometrics and profiling, but then apparently
    endorsing them. The arguments are not reasoned: he is for a national
    identity system, but admits elsewhere that the 9/11 terrorists had
    valid identification. Chapter seven says that the army is good, the
    border patrol is looking for the wrong things (although this is
    confusingly amended to a position that they have the technology but
    aren't using it), and the FBI and CIA have an ongoing turf fight.
    Having stated that he is not interested in media bashing, Ranum spends
    most of chapter eight anecdotally doing just that. There is a token
    mention of access to information, and a final assertion that probably
    nothing can be done about the problem of the media because the public
    is so gullible.

    Cyberattacks are an unreal myth, says chapter nine, but our
    information infrastructure is mostly undefended. The lack of
    standardization in government systems is seen as making government
    systems harder to defend (even though homogeneity means that a single
    attack can penetrate everything). While this material starts off very
    well, possibly due to Ranum's greater familiarity with strictly
    technical issues, he makes numerous errors in regard to viruses and
    malware. His lack of experience in this specific area reappears in
    chapter ten, where he says that even outdated antivirus scanners
    should have caught Code Red because the exploit was a known one.
    However, scanners would not have caught Code Red since it did not
    write itself out to a file, and also because scanners search for
    strings or patterns, not exploits. (If anything should have caught
    Code Red it was more likely to have been the firewalls that Ranum has
    made his name in designing.) Computer insecurity is put down to being
    on the cutting edge (advanced technologies being less completely
    understood), but is also due to foolish government purchasing

    Those of us who work in the security field can certainly sympathize
    with the tone of Ranum's work. Yes, governments (and businesses) are
    foolish. Yes, the general public sees a complex problem in simplistic
    terms. Yes, you can find instances of stupidity in any large
    enterprise. But does any of this have a real bearing on how security
    can be improved, or how we should look at it? (Particularly to a non-
    American audience, this book must read like a long string of sometimes
    whiny complaints.) Yes, Ranum starts off by saying that he is not
    actually offering solutions, but that bald statement hardly absolves
    him of not offering anything, including insights. While this work is
    at least well-informed about the problems, I am at a loss to explain
    the adulation that has been heaped upon it by many of my colleagues,
    aside from the fact that we all feel very much the same way.

    Presumably, however, we are not the target audience, and the book is
    aimed at demonstrating to the general public that Homeland Security
    is, as the cover graphically puts it, a house of cards. Pointing out
    that the Emperor has no clothes does have some merit, although the
    rewards of the activity are questionable at best. When addressing a
    non-technical audience, the anecdotal evidence provided is probably
    more realistic than a closely reasoned argument. However, the lack of
    clear suggestions for improvement, and inconsistency in positions,
    detract from the book's value.

    We can agree that security is a mess, and that governments can create
    enormous boondoggles. This book is among many that make the point,
    but does not do much to improve the situation.

    copyright Robert M. Slade, 2003 BKMYHLSC.RVW 20031124


    "If you do buy a computer, don't turn it on." - Richards' 2nd Law
    ============= for back issues:
    [Base URL] site
    or mirror
    CISSP refs: [Base URL]mnbksccd.htm
    Security Dict.: [Base URL]secgloss.htm
    Security Educ.: [Base URL]comseced.htm
    Book reviews: [Base URL]mnbk.htm
    [Base URL]review.htm
    Security Educ.:
    Review mailing list: send mail to
    Rob Slade, doting grandpa of Ryan and Trevor, Jan 23, 2004
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Silverstrand

    Review: Battalion-101~ S Notebook Review

    Silverstrand, Jun 20, 2005, in forum: The Lounge
    Jun 20, 2005
  2. Thad

    DP Review Leica Digilux 2 Review

    Thad, May 11, 2004, in forum: Digital Photography
    May 12, 2004
  3. Mike McGee
    Mike McGee
    Dec 4, 2003
  4. Replies:
    Blinky the Shark
    Jul 13, 2007
  5. Replies:

Share This Page