Slashdot Mirror
U.S. Computer Security Advisor Encourages Hackers
DarklordSatin writes: "According to this Associated Press article, which I was pointed to by the nice guys over at Ars Technica, Richard Clarke, Dubya's Computer Security Advisor, wants to encourage hackers to find security holes in software. Although he feels that the system only works when the hackers show 'good faith' and disclose the holes to the company before the public, he wants to start offering more legal protection to hackers and that is a very good step in the right direction." As the folks at Ars point out, though, "Naturally, Mr. Clark was using the original, more generalized, definition of "hacker", but I guess saying 'Bush Adviser Encourages Discovery of Software Bugs' just didn't have enough zing."
If only the left hand knew what the right hand was doing...
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
maybe not
The government encourages People to go to work.
If something like this made it anywhere near being a policy decision, when the popular press got ahold of it, it would not last very long. Joe Sixpack doesn't know much about computers, but he knows the word 'hacker' and he knows that it's mapped to the word 'bad'. So when anyone suggests letting (hackers=>bad people) near our critical computers (which all computers are...) then Joe goes on the warpath and gets it struck down.
After going after these people for exploiting bugs in software for the wrong reasons, maybe this will lead to some gainful employment for a few ladies/fellows.
you never lose in ure razorblade shoes......Beck-Hotwax
I suppose next they'll be suggesting that thieves be allowed to break into my house, just to see if it is secure.
This is a slippery slippery slope, folks.
If hackers break into my systems, I want them prosecuted like another type of criminal!
It's a little too late for these. We already have a number of people in jail for finding software bugs and releasing the details without doing any damage... And isn't there a law already against this exact thing here?
http://www.maximum-cars.com - My little hobbie.
But IMHO Hacker's aren't going to play the nice guys and report the bugs they are going to exploit the bugs and either not tell the company about all of the bugs or not tell the company about any of the bugs that is what they do. Do you think that they will stop just for you?
Now that we have this story, I wonder if he'll back down from the "we'll help you" part? Good Faith being what it is, I don't have much faith in the government to do the right thing in this case...I bet white-hats still end up with the shaft.
Which is more surprising: Government representative supports hackers, or Government representative uses correct meaning of "Hacker".
Maran
Being publicly accountable makes a company more diligent with security and bug testing. The only downside to public announcements is that every hacker out there now knows about it. The upside to THAT is that the company now has a hell of a lot of incentive to patch the hole in a prompt manner. Just my 2c!
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
Now I hope that a USA Citizen tells them that they are encouraging something that is outlawed by the DMCA.
No wonder a Trojaned version of OpenSSH was put on OpenBSD's FTP server. They were acting on Presidential recommendation!
Cnn Story:
Linky Linky
it's said WE have to be the world's debuggers
Runnin' On Empty
There's a pretty good chance you'll get sued/fined/imprisoned due to the DMCA. Of course, the advisor did say that some legal protection for hackers should be in place to prevent such a mess.
These days, with "corporate fraud" being the buzzword d'jeur, one could make a very strong argument that the DMCA encourages corporate fraud because it allows companies to sweep their product defects under the carpet.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
When slashdot gets hacked, the editors are steamed at the "trolls", who are regarded as exclusively destructive, instead of being grateful that exploits are being tested. In fact, the trolls are the only ones brave enough to wade into the cesspool that is slashcode to help make it a better site.
.
There was the incident of the fellow who discovered that the New York Times was left wide open by FrontPage. So he called to tell them, and was promptly arrested. I wonder if Mr. Clarke thinks that's fair.
then put you in jail for DMCA violations.
I think what he meant was people who try to break their own systems to find bugs in them. Not the people who mindlessly hack into other peoples web pages and change them because they have no time.
He means responsible hackers who just find the problems and notify the company. Not hack into banks or your computer.
It is perfectly legal for someone to try to defeat their own home security system. While it is not legal for them to break someone elses (unless requested.)
Not a very slippery slope at all if you look closer. All he wants is for people who discover or uncover problems on their own little systems or labs to be allowed to tell the companies. Or even just let these people find the problems on their own. As well, he wants to legislate it a bit more, so while they can notify the companies, they won't be able to release to the public exact details on how to break in.
Just like, if I discovered that my security system on my car was easily breakable. I could tell the company, and let my friends know there is a problem. But I cannot publish a detailed paper explaining how to unlock doors with a screwdriver and some patience.
~ kjrose
A top Bush-administration official, in a tie in with Richard Clarke's press release on hackers today gave his support to the Cult of the Dead Cow, a hacker group responsible for creating the juvenile-hacking utility known as "Back Orifice" or simply B.O. Whether this official's support is a tie in with the Bush administration's fundamentalist leanings is unknown. CotDC representatives were quoted as saying, "5w33t! 7h1s r0x0rs! w3 w1ll 0wnz j00 4ll n0w! ph34r u5!" President Bush was unavailable for comment.
There is no mod option "-1: Disagree" for a reason. "Overrated" is not an acceptable substitute. Post something instead.
What an elaborate trap, he makes some big speech about this, all the hackers come out of their hiding places and publish security holes and BAMMO they are all put behind bars because of DMCA violations. Then he says "oops."
I wonder how long the "hacker" should give the company. And is the government really the next best step? I work for the government and I seriously doubt that will get the ball rolling.
The obvious problem with full disclosure, of course, is making malicious hackers and even terrorists aware of the problem. Solutions anyone?
Can I bum a sig?
system only works when the hackers show 'good faith'
who gets to decide what a hacker did was in 'good faith'? These proposed laws mixed with the DMCA should make the credibiliy of the system less than it is currently treading at...
Jesus saves souls and redeems them for valuable cash prizes
A more interesting quote is in this CNN article.
Umm, really? To whom in the government? The Department of Fixing Stuff? The FBI? The FTC? The DoJ? Gosh, that'll keep (e.g.) Microsoft on their toes. Bwahahahaha!
Precedent would suggest that a more likely result will be the jailing of the hacker, and the awarding of a fat contract to the vendor.
Thanks all the same, but this is just some guy in a suit. When it's written up in law by Congress, signed by G.W.Bush, and delivered to the Library of Congress by flying pig courier, I might change my mind.
If you were blocking sigs, you wouldn't have to read this.
I heard him on the radio this morning.
He encouraged hackers who are also "professionals" to look for bugs like this, and then report the bugs to the government and the software maker. There was no policy about what happens when both moribund entities laugh and sit on it.
Nor did he want the hoi-poli hackers out there looking for software bugs. He was explicit about this: Only Security Professionals Need Apply.
Allow me to take this moment to reassure that he is as disconnected from things as you could ever imagine. This is just the same crud in a new can. He will happily prosecute you if you do something to make the world better and don't wear a suit / this is not your "job" by his lights.
So don't take it too much to heart... he really didn't mean you regular people, folks.
I listened to an interview with Richard Clarke this morning on NPR. He basically said that he *knows* that this is outlawed by the DMCA (and other laws against hacking) and suggested that computer professionals try to break only to their own systems, so as to avoid legal wrath.
Except that HP is threatening the DMCA against the group who (notified and) publicized the Tru64 vulnerability. AFAIK, this vulnerability was found by their examination of their own systems.
When I was a kid, we only had one Darth.
But I thought that in the US you would get arrested and charged for showing that systems had vulnerabilities? I mean, that WarTalking case doesn't exactly inspire the White-Hat Hackers to continue in their good deeds, does it?
"If there are legal protections they don't have that they need, we need to look at that," he said.
Maybe it would be a better idea to create those protections before stepping up to the podium and announcing a call to arms to people around the world to find bugs and report them.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
True, there is some protection from the DMCA. BUT, it also says that when a security flaw is found, to first contact the business, and if the business does not respond in enough time, the government. He is not flying in the face of the DMCA, because he does not encourage sharing of information with other programmers (who might make a virus, hack stuff, are assumed to be 'evil,' blah blah blah)
I rented some of the Sopranos DVDs, and in one of the episodes of the second season, they specifically clarified the meaning so that it was wrong.
One of the mobsters was talking about computer break-ins to do illegal activities and said something like "what do you call those guys... crackers?" and another mobster corrected him: "hackers."
Anybody else notice this?
This is the info Joe Sixpack gets.
mark
If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
This is consistent with the Administration's policy of having crooks act as policemen.
Ted Olsen.
Harvey Pitt.
John Ashcroft.
No need to remind you that this regime lost the popular vote in 2000, and recounts determined that without the Supreme Court's intervention they would have lost Florida and the electoral vote as well.
--Blair
Richarrd Clarke saying, "I have a cunning plan!"
Everything in the Universe sucks: It's the law!
I heard the NPR Morning Edition interview with Richard Clarke this morning. Yes, Clarke encourages "hackers" to take find security holes, but be responsible: after discovering the security hole, notify the government and the manufacturer, but DO NOT tell the world. Clarke argues that he wants the software manufacturer to have time to develop a patch before announcing the vulnerability.
Clarke also said he wants "Computer Security Specialists" to hack and not the people doing it for fun. This ambiguity is the problem: how do you define "Computer Security Specialist"? Most of everything I learned about IT came through hacking for fun. Now I'm employed as a "Computer Security Specialist."
"I'm The Bounty Bear. I will find him anywhere. I'm searching."
"If there are legal protections they don't have that they need, we need to look at that," he said.
The first step in this would obviously to add an exception to the DMCA stating that the circumvention of security measures in a product is legal if done for research purposes.
Take this to your representative!
Good point!!! I bet that Audi is looking for ways to send suicide drivers out and crash into drivers when they do crash tests. You would really be more comfortable if quality control were illegal?
I heard the NPR interview this morning as well. I believe he also said that only "Computer Security Professionals" should hunt for security flaws, and regular folks should not. I have no idea how you differentiate yourself as a "Computer Security Professional". Maybe you will have to register yourself with the government to get immunity from DMCA prosecutions. :(
Anyone have the mailing address of the President's Critical Infrastructure Protection Board (PCIPB)? Their home page is http://www.whitehouse.gov/pcipb/ but there's no address and the email address for feedback, feedback@who.eop.gov, doesn't work.
Big business owns the government, so getting tough laws passed to measureably improve software security is a very tough task. The key here is measurable. Not some bs statistics that politicians can throw around. I want results.
There is an interesting NPR interview of Richard Clarke Here regarding his comments.
Listen to exactly what he says.
He is not encouraging reverse engineering products to find their security weaknesses. He is only encouraging those who accidently find weaknesses to responsibly report them.
Cheers
So now that the government (or maybe just this one particular individual) is realizing that their software isn't that secure, they want "hackers" to come foward and help them out? This, despite the fact that the DMCA subjectively outlaws this, and with the whole Tru64 thing fresh in one's mind?
If they want help, they have to make sure those who try and help out are protected by the law. You can't have it both ways.
I don't understand why the government has to encorage experienced programmers to find security holes - the software companies should do that. They can hire experts under a contract which gives both sides the necessary legal protection.
Customers can choose the products they believe to be secure enough for their use, for example ones that have been explicitly reviewed by hackers. And if they don't find a commercial product which isn't secure enough, they can switch to open source software, which has been reviewed by experienced hackers since it exists.
we need to get Richard Clarke to do a slashdot interview. I think this would be an enormous opportunity for the slashdot readers to find out what someone high up thinks about the dmca and its effects to the community. It will also give Richard Clarke the opportunity to here the concerns right from the community instead of from corp. reps.
The Kruger Dunning explains most post on
Disclaimer: My personal side in the above-mentioned debate is already decided. I advocate responsible full disclosure. Tell the vendor first, but dont agree to any NDAs and always make it clear to the vendor that after a reasonable delay you go public with everything you've got relating to the hole.
Having proclaimed my bias, it was interesting to hear the guys own words on NPR this morning. On the positive side he correctly defined "hacker." On the negative side he clearly preferred a more restrictive disclosure policy that could be summarized as "Tell the vendor then shut the hell up and go away" When gently pressed he was prepared to allow notification of a "responsible" coordinating agency but he made very sure to never advocate anything so liberal as responsible full disclosure. I was busily making breakfast and coffee at the time so I might have missed an implication or two but these days the usual spin on "responsible" when linked to the word "agency" mean either government-sanctioned-&-corporate-owned or government-operated. Some security hackers find this a potentially scary thought.
Personally, I take responsibility for my own systems security. Based on the information I have I do my best to keep them buttoned down. Only in that way can I ethically place any blame on the persons that might try and crack them. (Of course I also know my limitations - if a true expert wants to smoke my systems I know they're gone. I'll be satisfied with keeping the worms and kiddies out whilst trusting that theres nothing on my own boxes that a true expert wants badly enough to put in the effort)
From this standpoint, anything other than responsible full disclosure denies me knowledge I need in order to make an informed decision about the risks I'm assuming. Similarly to do anything less myself, should I discover a security hole, is failing in my obligations to my colleagues.
To my mind he's advocating using the community as a source of free QA services whilst at the same time making sure that the vendors can get away with the old oxymoron of security through obscurity. Who'd bet against a government sponsored coordinating body being followed rapidly by laws prohibiting disclosure of holes other than through that body?
I had a
Why can't they make these resolutions Open Source? There's a vast number of Open Source developers who can contribute to that cabinet.
Only by harnessing the power of the Open Source developer community can we attain those goals.
Regardless of the fact that it wasn't actually SnoSoft that officially published the exploit, even if they had, Clarke is basically saying that they went about things in pretty much the most appropriate manner.
sure, harmless hacking and reporting of this sort violates the DMCA; sure, they say they want legal protection for the people that help them; and sure, they will probably try to do something if you get arrested in the process of reporting a bug. if they succeed in helping you, they will claim triumph. if not, they dont really care because systems that they rely on might get bugs fixed, and there are plenty of people in reserve, even if u eliminate a few. i don't think that the advisor's reputation would be at all affected if some DMCA lawsuit ensues.
QED
BSD is for people who love UNIX. Linux is for those who hate Microsoft.
This administration is the most anti-4th Ammendment in the history of this nation. Now they produce a scheme to get hackers to unknowingly turn themselves in.
Enjoy your jail time, suckers....
"I have as much authority as the pope, I just
don't have as many people who believe it" - George Carlin
On the drive in, NPR had an interview with this guy (Yes, I listen to NPR in the car. Yes, I'm old.) and his remarks there made it clear that he thinks reverse-engineering software to find security holes should be criminal unless the person doing it is employed as a computer security professional.
I'd rate him above-average on the clue-o-meter (certainly as federal gov't employees go!) but he's not a friend to the hackers by any stretch.
"Personally, I take responsibility for my own systems security."
So should *everyone*. I have seriously large negative amounts of sympathy for people who whine "oh no, they cracked us" (or worse, "hacked") and start going on inventing laws.
I've heard of trying to solve a societal problem with technology, but some people ought to wake up smell the coffee you're brewin', and see that it's equally erroneous to attempt to solve a technological problem by abusing legislation.
~Tim
--
Rushing on down to the circle of the turn
...where the RIAA is legally allowed to break into your computer and DDoS you, and you are legally allowed to use any hacking trick necessary to plug the software's "security holes," bugs, flaws and other "undocumented features" (to stop them), and so on. Boy, it could be fun for just...minutes!
Ok, I'm removing my tongue from my cheek now!
I'm not a geek, I'm just a clever script.
The thing is, network security weaknesses are rarely accidental. You can reliably predict the top five causes of security weaknesses:
- Buffer overflows
- Buffer overflows
- Buffer overflows
- Buffer overflows
- Buffer overflows
There's nothing at all accidental about why those are where the security weaknesses are - it's because most services are written in languages that make it very easy to overflow a buffer. What we need is a law that makes it a crime to do such poor software engineering....and finally the Bush administration says something I can agree with without reservations.
I almost feel like I have responsible representation.
Be careful when you say that Clarke "encourages discovery of software bugs". On NPR this morning they mentioned Ed Felton and Dmitri (though not by name) asked Clarke if his statements at blackhat was consistent with the government's prosecution of people who find holes in software. Clarke responded that US law prohibits people who are not "security professionals" from intentionally looking for security holes in software, and that the reverse engineering of software to find holes in it is prohibited.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
...Congratulations! You have won a FREE motorboat^H^H^H^H^H^Hcomputer!
Please pick it up in person today at the Springfield PD^H^H^H^H^H^HFBI Headquarters.
Signed,
Chief Wiggum^H^H^H^H^HJohn Ashcroft
Was there a particular reason to be insulting Bush? Or is that just sort of taken as given -- that we all hate Bush?
What is 'my system'? I am responsible for the whole shebang: NT servers, 2k terminal servers, Linux firewalls and web servers, NT desktops, wireless access points.
How can I attack my own systems without attacking someone else's 'intellectual property' or some such BS? I can't. But by the terms of the licenses (even the GPL and BSD, I believe) I can't blame the people I got the software from.
Anyone living in the US, connecting to the US, or who has even heard of the US should not be doing computer security. Anyone who is doing even a reasonable job of it is checking into and poking into the products supplied by vendors. But this is illegal. The vendors can't be blamed. Only you. You can be blamed, but you don't legally have the right to do the thing/s that will make your work effective.
Run. Run and hide.
I said it in a response to a journal on this story (posted yesterday, BTW) but I'll say it again: in a fight between this guy and Ashcroft (which is what this essentially is), Ashcroft will win every time. The only way to get around the problem is to invalidate the disclaimer of warranty of merchantibility of a product. If nothing else, computer software must be fit for a specific purpose. At that point, GM and Walmart become aligned with anti-DMCA forces. Then Microsoft and the Senator from Disney get to see REAL political power.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
So if a member of the executive branch of the government publicly encourages you to break a law (DMCA), and you're then arrested, it would be considered entrapment right?
Unix is user friendly, it's just selective about who its friends are.
Does anyone really trust these clowns?
I mean, their past actions truly don't inspire a single grain of trust. Look at last week where the guy in Houston got busted by the court house for EXPOSING their wifi total lack of security (remember that they claimed he did $5000.00 in damage - no doubt that's exactly how much they paid for all the wifi stuff they had to shut down). Plus...just look at how easy they make it...try to do one good thing and some lawyer begins the mantra: DMCA..DMCA..DMCA.
Nice words you speak guy, but what did Clara say in the Wendy's commercials: "Where's the beef?"
Until I see the beef, I'm not trusting a single word you say....
The guy charged with hacking for letting the court house know about the unsecured access point in the court room? If they encourage us to let them know of holes in systems, are they encouraging us to step forward and be charged as criminals?
How about thousands of websites?
I can't link to my textbook or something.
mark
If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
So let me see where this puts us. Phred Programmer discoveres a buffer overflow that crashes IE. He tells his security professional about his discovery. Our "security professional" says "what's a buffer overflow?" and the whole thing falls on the floor.
Wait, let's try this again. Phred Programmer discovers a buffer overflow problem that crashes IE. He puts on his "security professional" hat and calls Microsoft. Microsoft says "So what? It crashes. BFD. We'll fix it on the next major release."
Phred Programmer waits until the next major release and the mess is still there. Remember, he's not supposed to write code to demonstrate this problem, or the potential harm, so Microsoft has no idea whether they've really fixed this problem.
So Phred Programmer calls the feds. They respond with "Huh? What's the big deal?" "Well, you could exploit this and hack with full administrator priviliges", says Phred Programmer. "Sounds far-fetched" say the feds. "But just in case you're right, I don't want you writing any code. Why don't you post your notions with Microsoft?" "But I already have and they promised a fix by the next major release", complains Phred Programmer.
"Hmm. We'll have to take it up with them."
And so, another major release goes by and still nothing. Meanwhile, somebody else figures out the breeched security and because the don't live in the US, they post a script for the kiddies to use.
Back to the present: Somebody explain to me why this scenario is not likely. Restricting this information to "security professionals" seems to me like an effort to sweep security problems under the rug.
Richard Clark's ideas suck, IMNSHO. He clearly has no concept of how bugs are discovered, demonstrated, and how the repair of those bugs is prioritized by software companies. Does anyone here really think Microsoft would have fixed those buffer overflow problems if no-one had written an exploit and published it? Does anyone here think that users in other countries will have any respect for stupid US policy (never mind the law)? Sheesh.
Nearly fifty percent of all graduates come from the bottom half of the class!
http://search.npr.org/cf/cmn/cmnpd01fm.cfm?PrgDate =08/01/2002&PrgID=3
This guy was on NPR this morning. When asked about his remarks in context of the laws against such hacking he specifically said that he was talking about hacking by "security professionals" only and then only for the purpose of quietly notifying the software maker. In fact, he explicitly said it should remain illegal for any regular joe to hack or reverse engineer software looking for exploits just for the fun of it.
This guy is not your friend. He, like the rest of the administration, is solely concerned with corporate interests. What he has in mind here is definitely not exposing exploits and causing bad corporate PR. It is the quiet uncovering of holes and the quiet informing of the software makers so they can issue mystery patches.
The reasoning behind that I suppose is to keep malicious hackers from using public exploits. But in reality, by the time the so called "security experts" stumble on the holes, the real evil hackers have already known about them for a long time. This is just more the "keep the problem secret and it will go away" policy that has gotten us into trouble.
I try not to go out of my way to correct the grammar or spelling mistakes of other people, but if you are going to go out of your way to use a French phrase, at least learn how to spell it.
The correct spelling is "du jour," not "d'jeur." I am not being pedantic; I just don't like to see insightful comments eroded by silly surface errors like this one.
peace.
So, who's going to develop a compiler/interpreter that prevents buffer overflows? It would be very hard to justify using any tool that permitted buffer overflows when another is available that prevents them. Talk about a Marketing advantage.
For that matter, who set the standard so low that buffer overflows were ever tolerated?
The way I see this issue is that I have an ethical responsibility to other users of a product to inform them of any security flaws I find. The EULA of most propriety software contain disclaimers as to fitness of use and the end users have no legal recourse for any damages incurred. In other words they put out crappy, bug ridden, security flawed software and they expect use to shut up and just use it. To not publish any security problem is to leave every user unaware of the problem and therefore open to potential damage. I say full public disclosure up front of all bugs and security problems with just enough technical detail to verify the problem. No need to provide the script kiddies with automatic tools that they can use. Perhaps the propriety software companies will start to put out a better quality product if they know that any security problem or bug will be quickly published. The end users decision might be to start using some open source software that can be fixed a lot quicker than the insecure propriety software.
zenray
Wasn't April a few months ago? You expect me to believe a high-placed government official has expressed an opinion that hacking could be something other than evil terrorism which threatens the foundations of our society and the American Way(TM)?
I wonder when he'll be replaced.
-Vercingetorix
"Necessitas non habet legem." -St. Augustine
While I liked the interview I heard, I seriously doubt he has enough authority to say what he really thinks in a public forum. I expect he'd be in a different department real fast if he toed anything other than the party line.
...so while they can notify the companies, they won't be able to release to the public exact details on how to break in.
You mean something like: DMCA v.1 rev. 1
I'd rather be sailing...
He said that he encourages those in the computer security field (but not anybody else) to run and attempt to crack industry software on their own computers (but not anybody else's) - ignoring the fact that this violates the DMCA - and then report any vulnerabilities to the government (as well as the manufacturer).
This seems like a tinly-veiled attempt to give the NSA a few more backdoors to me.
I vote for a 1-week courtesy notification period before a full, public disclosure - no matter who you are, or how much money you have.
Suppose I find a vulnerability in some random company's web site. After telling them about it, whom else do I tell? The NIPC?
And same for a widely used piece of software - after the software company, who in the government gets the report?
"but I guess saying 'Bush Adviser Encourages Discovery of Software Bugs' just didn't have enough zing."
Getting a little nit-picky here? I suspect he used hackers to describe anybody who can gain unauthorized access to otherwise restricted systems, not someone who is encouraged to find out why a "bug" caused the DoD's wargames application to crash. Yep, there's a reason he used the word "hacker" and not "software bugs hunter". I know entry can be exploited using system bugs, but hacking is obviously more than just exploiting "bugs", or did the poster just happen to miss the story immedietly following this one? A hacker is a combination of skills, not just a "bug hunter"... Which is probably why good ol' Clark used the popular definition in the first place.
You need a FREE iPod Nano
I'll name it the Patriotic Millenium Computer Homeland Security Group. Anyone who wants to apply for a job please email me. Requirements are low, and I can't really pay you anything, but at least you'll be a Computer Security Professional.
Look for me on NASDAQ soon!
I have found there are just two ways to go.
It all comes down to livin' fast or dyin' slow. -REK, Jr.
pretty good chance you'll get sued/fined/imprisoned due to the DMCA.
Sued/fined? I have a hard enough time convincing the people that I work with that there is a difference between PHP and HTML. And they are reasonably intelligent people. Try convincing G.W. that there is a difference between "hackers" and "malicious hackers". Problem solved, label them all as terrorists and throw them in jail forever. The DMCA is the last thing I'd be worried about.
- Relativistic? That's barely Newtonian!
That would make the DMCA inapplicable. He'll get fired for sure. M$ and the xxAAs will have a hit squad gunning for his ass.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
One thing I learned when listening to the Steven Soderbourgh commentary on Traffic was that... set your faces to shocked... politicians are much more objective than you think.
/. want it gets tossed out in favor of waiting for something better to come along. Heh, if that is your modus operandi, you're going to be waiting a very long time.
The problem is that we, the constituents, do not elect them for objectivity but for being subjective, stubborn, and close-minded. It's true... that's how you get elected (or stay in office).
So what is Richard Clarke doing here? It is quite possible he is beginning to switch popular perception. Using "hacker" correctly is a good start. And I assume most of us can agree that this is a step in the right direction.
The problem is that too many of the posts in this thread say "He isn't going far enough, therefore its a complete waste of time." because "the end users will never know any better."
Well I hate to say it, but this is how you get the end users informed: slowly start moving in the right direction, educating the masses, letting them put their fears to rest bit by bit. I think Clarke could really start something here IF we, the supposed IT professionals, didn't just discard what he says right off of the bat.
As a sidebar, I always wondered why people don't try for more publicity campaigns to get laws passed... especially in foreign countries. Bush can say no to Kyoto because the American people don't care/want him to. You can't much expect to force a population to do what you want by saying "You are an idiot! Think differently!" (and it hasn't ever worked).
So why don't all concerned parties deluge primetime with an ad campaign? Slowly change popular opinion? Maybe in a year you could get huge differences. The key to remember is that politicians are nothing more than fonts of popular opinion. Clinton proved it. G Dubs is proving it: it doesn't matter what you think it matters what the people believe you think by what you say.
Clarke seems to be doing that but since it isn't the Free Software/Free Beer/Free Nekkid solution so many on
What is music when you despise all sound?
... is just the flip side of different than "break it 'till it's fixed"
As mentioned previously, NPR had a good interview with Clarke on Morning Edition today. The interviewer even researched the story enough to know the Felton case. Most impressive.
Their stream is here.
Good Lord, I've deep-linked to NPR.
Ximinez: Now, old woman -- you are accused of heresy on three counts -- heresy by DMCA, heresy by RIAA, heresy by MPAA, and heresy by HP -- *four* counts. Do you confess?
Wilde: I don't understand what I'm accused of.
Ximinez: Ha! Then we'll make you understand! Biggles! Fetch...THE CUSHIONS!
First they ignore you,
Then they laugh at you,
Then they bait you,
Then you go to jail.
Great, it's Bush's "faith-based security initiative."
- Tim
I heard this guy on NPR this morning asked another question about current laws and their application. The answer was very different than the initial quote suggests. He implied that only professionals should be allowed to "hack" software and that those that backward engineer software for "fun" should be prosecuted.
Seems like he wasn't really saying that it was okay to hack software in your possession. It really was just you can hack software in your possession if you work for a company involved in computer security.
So what kinds of people is this really aimed at? Seems to be aimed just at campaign contributors who own or run Software Security Companies?
People in power always have to walk a line between what they think, what they want, and those that surround them (e.g. what their bosses think, what their constituents think, what the lobbyists think....). I wouldn't discount a public statement like Clarke's as either totally opinion, nor as totally "party line". It's probably somewhere in between.
But, this guy is high enough to have influence and maybe even real Power. It would be worthwhile to interview him here. And then run his responses through the Crap Filters.
its about time somebody high-profile in government used the real, original meaning of hacker. Maybe someone in the media will pick up on that and show us in a postive light...wait...nevermind. we're trying to be realistic here
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
I also heard Mr. Clark on NPR this morning and liked most of what I heard until he said only Security Professionals should try and find bugs and that anyone else who does is assumed to be doing it with criminal motive. I'm sorry I thought in our country guilt was not assumed but proven.
"If there are legal protections they don't have that they need, we need to look at that,"
No hurry!!
If I find a bug in win2k and want to notify the world without giving Microsoft a 30 day heads-up that should be up to me. The bug is Microsofts fault, not mine. They should bear the reponsibility for any problems caused by it.
The bug is the problem, not the announcment of the bug!
If a tree falls in the woods and no one's there to hear it, it still fell over.
If people started making bugs public as soon as they found them, vendors would have to debug their software.
I would rather find out the second a bug in apache is found, and shut down my server until a patch is realeased, than operate and server that can be taken over by anyone.
I would prefer any e-commerce site I shop at to do the same.
Thinking "yeah, I found this bug but there's no way anyone else could/has found it" is silly. If I found out that the locks on my car could be opened by any key from that manufacturer, I wouldn't wait for a recall. I would go to Autozone, and buy new locks. If you want to wait for a recall, you can. If you are serious about the security of your vehicle, you wouldn't.
Somebody's going to respond to this and complain about how everybody's site will be down all the time. Good. If I know XYZ.com uses IIS and they just found a root exploit for IIS I want to go to XYZ.com and see that it is down. If it isn't then I know they're not a good company to give my credit card info to. Bugs will get fixed VERY quickly and no one will be pretending that leaving a server online for a month with a root hole is okay, just because it hasn't been publicized by CERT yet.
Hera are a couple scenarios:
I think it is generally a good thing to just inform the manufacturer of the bug, and not the whole world, but the ablitlty to go public with it at any time should be there. Companies need to know that people can and will go public with bugs in their software, and should take any chance to correct bugs before this happen seriously. It should not be conisdered a bad thing for someone to publicize a bug before there is a fix availible for it. They are destroying the illusion of security not the secuirty itself, which never was there.
One final analogy:
Imagine a safe made out of cardboard. It's not safe. Even if I don't know it's made out of cardboard, it's still not safe. If someone tries to break into my cardboard safe, they're going to find out what it's made out of pretty quick.
Life is too short to proofread.
There's a significant flaw, in that whatver he said seems to apply to an individual. What if a group of people form say a mailing list and want to collaboratively examine ythe security of a software product?
Also, people are not allowed to show how code can be exploited, which inhibits other people from learning about how to find and exploit flaws in software. The less good people know how to find out whether software is flawed the more vulnerable we are to exploitable software out there.
Hmm this is almost like hte gun debate. Almost.
Of course. Plea to all the competent computer folks to get themselves locked up so the gov't can look like it knows what it's doing in the eyes of all the non-criminals.
Under Bush, the U.S. government is becoming more and more corrupt.
If only "Security Professional" can legally investigate security flaws, how does one become such a "Security Professional"?
It seems you have to start your first day at the job with absolutely no experience in the field.
I know, it's gonna be a licensed profession like doctors or lawyers, with its own lobby organization, barriers of entry and all the rest. Oh well...
Ok, so we should only break into our systems .. what about helping a friend figure whether the security of a product she's using is flawed?
Sure, i have her permission to help but do I have the permission of the Corp and the DMCA? What about asking for help in how buffer overflows work and get exploited so I can find them vulnerabilites in software (not to mention prevent my own from having them)?
Would it be illegal for me to show a friend of mine how a buffer exploit would work so she can learn??
Is it just me or with the current happenings with Snosoft and the DMCA doesn't this just sound like entrapment?
Of course, after this, they will probably make sure to get a court order forcing you to keep your mouth shut and there won't be a thing you can do about it after that.
At least by public disclosure you can offer the legitimate defense that for a company whose internal affairs are unknown (which would generally be the case except for people who actually worked there), public disclosure is the only way to be sure that they will actively try to fix the problem.
Trying to talk to the company privately first will, more often than not, get you nowhere because the only bugs that a company will bother to fix are the ones that actually _cause_ problems. They have too many other things to worry about to bother to fix things that *MIGHT* be exploited later.
File under 'M' for 'Manic ranting'
NPR had an interview with him this morning. The way he came accross was that it was ok for security professionals to hack programs, but people who do it for fun are concidered criminals.
Do you honestly think this is the goverments goal.Come on.
This was written to use up your time hahahssa alaahsdhaj asdjfkjafjkfsd gsdd.dsgfsg gf.fs dsf dfdfds gffgfd
Ok, so the security professional finds a big flaming hole - yet can't come up with the code to prove his hypothesis.. He calls up software company A, if he's lucky he manages to wade through the phone system and find a human. "blah blah thank you for your interest in our products we here at Co. A take our customers satisfaction very seriously we'll take that issue under advisement .."
So he calls up some magical government agency (department of computer experts?).. Hell - he calls the FDA, for all the good its going to do. "Thank you for calling the FDA we care deeply about your concerns blah blah dont smoke winners dont use drugs"
So he's fed up, and wants the problem fixed; perhaps NEEDS the problem fixed, because he's got script kiddies driving herds of elephants through that hole in his system.
So he goes public - without writing an exploit, and posts "Software Co. A is knowingly selling unsecure software" on the web somewhere or in some industry mag.
Now, without proof to backup his claims, he's on the recieving end of a libel lawsuit. After all, a security expert talking down Software Co. A costs them a gazillion dollars a word in a lawyers eyes.
So he proves it with an exploit - or even worse - a workaround/patch of his own, violating the DMCA, and spends the next 5 years doing all his port-sniffing in a prison shower.
His response to the Felton case is that a Uni. comp sci professor isn't an 'expert'? A cryptogropher like Dmitri isn't either? Is he? Cause if he ain't, how dare he suggest any software has bugs in the first place.
Where do I go to enroll in Security Expert school? Sounds even better than Bovine University.
I don't need no instructions to know how to rock!!!!
They spent decades trying to wipe out hackers (e.g. Steve Jones raid by FBI) and then go "Oops". THEY WERE WARNED AT THE TIME!
Reminds me of the places where all the wolves had to be killed because they were destroying all the deer herds. Which is what they had always done, but they were competing with the PEOPLE who wanted to destroy all the deer herds.
Then wolf nostalgia set in and so a few had to be cautiously reintroduced. What was free became managed. So what they want isn't hacking, they want to reintroduce a weakened strain as an innoculation.
Hey hackers, want to be weakened?
"You must try to forget all you have learned. You must begin to dream." -- Sherwood Anderson
Part of the problem, of course, is the widespread misuse of the words "hack" and "hacker". When we use the same word for (1) creating (part of) a computer system, (2) trying to understand a computer system, (3) breaking into a computer system, and (4) breaking into and vandalizing a computer system, confusion is inevitable.
People who break into other people's computer systems should be called what they are: computer trespassers. People who deliberately damage other people's computer systems (say, by altering web pages) should be called what they are: computer vandals.
Using the correct terminology would make it clear that messing around with your own computer system and messing around with someone else's computer system are two entirely different things.
And that is a great reason to give to your Congress peeps. Not only is "corporate fraud" the buzzword of the day, but the fact that security issues can not be resolved because of the DMCA creates a huge paradox.
On the one had we are told to protect our computers from terrorist intrusion but the means of determining if we are insecure, on the other hand, are made illegal!
I've made it a habit, now, to send an email to Feinstein and Boxter (CA Senators) most days before I leave work. Even if they don't listen I'll atleast bug 'em...
God, this makes me think that the government is trying to get the crackers to get all the bugs out of their DMCA/RIAA/MPAA DDoS software. *ho hum*
[insert witty comment here]
I agree and I think it's time we start writing letters to news organizations and others who misuse the term hacker. Those of us in the hacker community have let others misuse the term because we know what the real meaning is and not enough of us got upset about the first incorrect uses of the term. Now we need to start fighting back before it really is too late. To paraphrase "Alice's Resturant" if a million people a day walk in use the right definition of hacker and walk out...they may get the point.
Just my $.02,
Ron
Impeach Barack Obama for violating the Constitutional requirement to be a "natural born" citizen to hold the office of P
We need to think about what we really want as far as legislative protections, and actually cooperate with this guy, if we ever want to see protections for the common hacker become reality. As an earlier poster noted, Clarke is showing SOME support for us - our goal should be work within the system, not attack it because it's imperfect.
To that end, I've put together a sample of what some protective legislation could look like. I think this takes into account most of the opinions expressed on this board as far as what's fair. Some further comments of mine are below.
----
(1) The DMCA is hereby amended such that the Reverse-engineering of software for the purpose of discovering security holes, and the modification of technological measures that control access for the purpose of discovering security holes, are legal. (insert definition of security holes)
(2) Discovering such security holes for the purpose of exploiting them to commit computer crimes (insert list here), however, is illegal. (fill in requirements for establishing purpose)
(2A) Sharing those discoveries with those who have the purpose of exploiting them to commit computer crimes is also illegal.
(insert penalties, remedies etc here)
(3) Upon discovery of a security hole, the discoverer should report it to the person, company or group whose responsibility it is to develop the software.
(4) Disclosure of the nature of a security hole, technical details of one, or methods that could be used to exploit it, or any details of a security hole beyond its existence and the product it affects, to anyone other than the developers of the software, within 15 days of the notification mentioned in section (3), is illegal.
(after 15 days you can tell the public the basic idea)
(5) Disclosure of the exact basis for a security hole, including methods that could be used to exploit it for the commission of computer crimes, or details that could lead someone unexperienced in computer security to exploit it for the commission of computer crimes, to anyone other than the developers of the software, within 45 days of the notification mentioned in section (3), is illegal.
(after 45 days you can release anything you want)
(6) Any discovery or disclosure of security holes not in compliance with these provisions is subject to liability under Title 17, Sec 1201 (DMCA)
----
Now, the thing that really strikes me about this is that, while it permits violation of what the DMCA mostly regulated (modification of technological measures designed to control access to things), it does so by way of regulating free speech. It specifically prohibits you in what you may say about these things. We can talk about the morality of disclosing details of security holes, and to that end these guidelines might be fairly "moral" (in my view), but they clearly trod over the first amendment. Does this mean that there can really be no compromise between people designing security systems, and people who want to hack those systems and expose weaknesses? I think if we can't find a constitutional middle-ground between controlled, proprietary security systems and people who genuinely want to improve the security of those systems, we may end up with the (DMCA'd) status quo.
-Steve
US Government says, "It's OK to hack as long as you tell the target how you did it."
Next day:
US Government 'Net connections taken down in massive DDoS attack. The hackers say, "We did it by sending zillions of 65,000 byte packets at you per second in a distributed denial of service attack. Now you can't touch us! Take that, fuckers!"
Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".