Marcus Ranum is a network security pioneer who built some of the earliest commercial firewalls and is credited with inventing several foundational concepts in network perimeter security. He worked at various points with the security community that overlapped with counterpane-internet-security, has been a regular presence at security conferences, and is known for blunt, contrarian takes on the security industry — a posture that aligns with but differs from Schneier's own skepticism.
Firewall Pioneer
In the early 1990s, Ranum designed and built some of the first commercial proxy-based firewalls, including the DEC SEAL and the TIS Gauntlet. His approach — application-level proxies that inspected traffic semantically rather than just filtering by packet header — was architecturally different from the packet filtering that other early firewalls used, and more secure in principle. He also worked on bastion host designs and contributed to establishing the vocabulary of network perimeter security that became standard in the field.
This work puts Ranum at the origins of commercial network security in a way that parallels Schneier's position at the origins of practical cryptography. Both were early practitioners who helped define the field before it had established norms. But where Schneier's path led through algorithm design to policy writing, Ranum's path led through implementation to increasingly pointed critique of what the security industry had become.
The "Six Dumbest Ideas in Computer Security"
Ranum is best known in the security community for a 2005 essay, "The Six Dumbest Ideas in Computer Security," which catalogued persistent mistakes in security thinking: default permit (allowing everything not explicitly prohibited), enumerating badness (trying to track all known attacks), penetrate and patch, hacking is cool, educating users, and action is better than inaction. The essay is a practitioner's critique of how security work is actually done rather than how it should be done.
This critique operates in the same register as Schneier's security-theater concept and his arguments in secrets-and-lies that the security industry often sold the appearance of security rather than the substance. Both Ranum and Schneier are critics of the security product market's tendency to sell reactive, inadequate solutions while the fundamental design failures that create the need for those solutions go unaddressed. But Ranum's style is more confrontational and industry-focused where Schneier's is more analytical and policy-oriented.
The Schneier-Ranum Debates
Schneier and Ranum have engaged in a series of formal debate exchanges — "face-offs" published in Information Security magazine — where they took opposing positions on security industry questions. The format suited their complementary contrarianism: both are willing to take unpopular positions and both are skeptical of received wisdom in the security industry, but they often reached different conclusions from different starting points.
The debates covered topics like whether ethical hacking is useful, whether security certifications matter, and whether security audits work. On some questions they agreed; on others, Ranum's harder-line skepticism differed from Schneier's more hedged analysis. The debates are a useful artifact for understanding Schneier's positions because Ranum forced him to be more explicit than he might otherwise be — a value of good adversarial interlocutors that the security-mindset itself recommends.
Relationship to Schneier
Ranum and Schneier are fellow practitioners who share a skeptical orientation toward security product claims and security theater. Their professional networks overlapped — both were involved with the security consulting world in which counterpane-internet-security operated — and their public personas are both characterized by willingness to say uncomfortable things about what the security industry actually does versus what it claims to do.
The difference is temperamental and strategic: Ranum tends toward denunciation and is often most useful as a source of harsh truths that the industry does not want to hear; Schneier tends toward analysis and is most useful as a source of frameworks for thinking about security that can inform both practice and policy. Both functions are valuable, and the security community benefits from having both voices — the provocateur and the analyst — even when they disagree.