Slashdot Mirror
U.S. Computer Security Advisor Encourages Hackers
DarklordSatin writes: "According to this Associated Press article, which I was pointed to by the nice guys over at Ars Technica, Richard Clarke, Dubya's Computer Security Advisor, wants to encourage hackers to find security holes in software. Although he feels that the system only works when the hackers show 'good faith' and disclose the holes to the company before the public, he wants to start offering more legal protection to hackers and that is a very good step in the right direction." As the folks at Ars point out, though, "Naturally, Mr. Clark was using the original, more generalized, definition of "hacker", but I guess saying 'Bush Adviser Encourages Discovery of Software Bugs' just didn't have enough zing."
If only the left hand knew what the right hand was doing...
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
The government encourages People to go to work.
If something like this made it anywhere near being a policy decision, when the popular press got ahold of it, it would not last very long. Joe Sixpack doesn't know much about computers, but he knows the word 'hacker' and he knows that it's mapped to the word 'bad'. So when anyone suggests letting (hackers=>bad people) near our critical computers (which all computers are...) then Joe goes on the warpath and gets it struck down.
After going after these people for exploiting bugs in software for the wrong reasons, maybe this will lead to some gainful employment for a few ladies/fellows.
you never lose in ure razorblade shoes......Beck-Hotwax
It's a little too late for these. We already have a number of people in jail for finding software bugs and releasing the details without doing any damage... And isn't there a law already against this exact thing here?
http://www.maximum-cars.com - My little hobbie.
Which is more surprising: Government representative supports hackers, or Government representative uses correct meaning of "Hacker".
Maran
Being publicly accountable makes a company more diligent with security and bug testing. The only downside to public announcements is that every hacker out there now knows about it. The upside to THAT is that the company now has a hell of a lot of incentive to patch the hole in a prompt manner. Just my 2c!
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
Now I hope that a USA Citizen tells them that they are encouraging something that is outlawed by the DMCA.
No wonder a Trojaned version of OpenSSH was put on OpenBSD's FTP server. They were acting on Presidential recommendation!
Cnn Story:
Linky Linky
it's said WE have to be the world's debuggers
Runnin' On Empty
There's a pretty good chance you'll get sued/fined/imprisoned due to the DMCA. Of course, the advisor did say that some legal protection for hackers should be in place to prevent such a mess.
These days, with "corporate fraud" being the buzzword d'jeur, one could make a very strong argument that the DMCA encourages corporate fraud because it allows companies to sweep their product defects under the carpet.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
There was the incident of the fellow who discovered that the New York Times was left wide open by FrontPage. So he called to tell them, and was promptly arrested. I wonder if Mr. Clarke thinks that's fair.
then put you in jail for DMCA violations.
I think what he meant was people who try to break their own systems to find bugs in them. Not the people who mindlessly hack into other peoples web pages and change them because they have no time.
He means responsible hackers who just find the problems and notify the company. Not hack into banks or your computer.
It is perfectly legal for someone to try to defeat their own home security system. While it is not legal for them to break someone elses (unless requested.)
Not a very slippery slope at all if you look closer. All he wants is for people who discover or uncover problems on their own little systems or labs to be allowed to tell the companies. Or even just let these people find the problems on their own. As well, he wants to legislate it a bit more, so while they can notify the companies, they won't be able to release to the public exact details on how to break in.
Just like, if I discovered that my security system on my car was easily breakable. I could tell the company, and let my friends know there is a problem. But I cannot publish a detailed paper explaining how to unlock doors with a screwdriver and some patience.
~ kjrose
This is more like an architect taking a model of your house, finding the weaknesses, and telling the manufacturer about it so they can fix your house before someone malicious takes advantage of it.
A top Bush-administration official, in a tie in with Richard Clarke's press release on hackers today gave his support to the Cult of the Dead Cow, a hacker group responsible for creating the juvenile-hacking utility known as "Back Orifice" or simply B.O. Whether this official's support is a tie in with the Bush administration's fundamentalist leanings is unknown. CotDC representatives were quoted as saying, "5w33t! 7h1s r0x0rs! w3 w1ll 0wnz j00 4ll n0w! ph34r u5!" President Bush was unavailable for comment.
There is no mod option "-1: Disagree" for a reason. "Overrated" is not an acceptable substitute. Post something instead.
I wonder how long the "hacker" should give the company. And is the government really the next best step? I work for the government and I seriously doubt that will get the ball rolling.
The obvious problem with full disclosure, of course, is making malicious hackers and even terrorists aware of the problem. Solutions anyone?
Can I bum a sig?
system only works when the hackers show 'good faith'
who gets to decide what a hacker did was in 'good faith'? These proposed laws mixed with the DMCA should make the credibiliy of the system less than it is currently treading at...
Jesus saves souls and redeems them for valuable cash prizes
The difference with homes is that everyone knows what they are, what they're for and the most common routes of security breakage.
When we got a security system installed at my current place, I slinked around and tried to get around without being seen by the motion detectors. Eventually I found a way to get from the back door to my computer without triggering a single motion detector. This resulted in us having them moved around.
Computers, in contract, are big nebulous boxes and most people don't know much about how they work or how to secure them. This is why they should be treated differently than homes with respect to how the security is tested.
A more interesting quote is in this CNN article.
Umm, really? To whom in the government? The Department of Fixing Stuff? The FBI? The FTC? The DoJ? Gosh, that'll keep (e.g.) Microsoft on their toes. Bwahahahaha!
Precedent would suggest that a more likely result will be the jailing of the hacker, and the awarding of a fat contract to the vendor.
Thanks all the same, but this is just some guy in a suit. When it's written up in law by Congress, signed by G.W.Bush, and delivered to the Library of Congress by flying pig courier, I might change my mind.
If you were blocking sigs, you wouldn't have to read this.
I heard him on the radio this morning.
He encouraged hackers who are also "professionals" to look for bugs like this, and then report the bugs to the government and the software maker. There was no policy about what happens when both moribund entities laugh and sit on it.
Nor did he want the hoi-poli hackers out there looking for software bugs. He was explicit about this: Only Security Professionals Need Apply.
Allow me to take this moment to reassure that he is as disconnected from things as you could ever imagine. This is just the same crud in a new can. He will happily prosecute you if you do something to make the world better and don't wear a suit / this is not your "job" by his lights.
So don't take it too much to heart... he really didn't mean you regular people, folks.
I listened to an interview with Richard Clarke this morning on NPR. He basically said that he *knows* that this is outlawed by the DMCA (and other laws against hacking) and suggested that computer professionals try to break only to their own systems, so as to avoid legal wrath.
Except that HP is threatening the DMCA against the group who (notified and) publicized the Tru64 vulnerability. AFAIK, this vulnerability was found by their examination of their own systems.
When I was a kid, we only had one Darth.
I heard the NPR Morning Edition interview with Richard Clarke this morning. Yes, Clarke encourages "hackers" to take find security holes, but be responsible: after discovering the security hole, notify the government and the manufacturer, but DO NOT tell the world. Clarke argues that he wants the software manufacturer to have time to develop a patch before announcing the vulnerability.
Clarke also said he wants "Computer Security Specialists" to hack and not the people doing it for fun. This ambiguity is the problem: how do you define "Computer Security Specialist"? Most of everything I learned about IT came through hacking for fun. Now I'm employed as a "Computer Security Specialist."
"I'm The Bounty Bear. I will find him anywhere. I'm searching."
mark
If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
Anyone have the mailing address of the President's Critical Infrastructure Protection Board (PCIPB)? Their home page is http://www.whitehouse.gov/pcipb/ but there's no address and the email address for feedback, feedback@who.eop.gov, doesn't work.
He doesn't encourage cracking into other peoples systems, only testing the security of software. This can be done on local machines. Big difference. If I pick the lock on my own front door, is that breaking in?
do not read this line twice.
No need to remind you that ... recounts determined that without the Supreme Court's intervention they would have lost Florida and the electoral vote as well.
Remind me, please -- cite your source. Everything I've read (in mainline newspapers, Union-Tribune and North County Times) indicated that all the recounts indicated the opposite. That's why there was no big media splash; no change is no news.
-Billy
Do I hear the words "I have a cunning plan" marching this way will ill deserved favor?
-- IANAEG - I am not an elder god.
we need to get Richard Clarke to do a slashdot interview. I think this would be an enormous opportunity for the slashdot readers to find out what someone high up thinks about the dmca and its effects to the community. It will also give Richard Clarke the opportunity to here the concerns right from the community instead of from corp. reps.
The Kruger Dunning explains most post on
Disclaimer: My personal side in the above-mentioned debate is already decided. I advocate responsible full disclosure. Tell the vendor first, but dont agree to any NDAs and always make it clear to the vendor that after a reasonable delay you go public with everything you've got relating to the hole.
Having proclaimed my bias, it was interesting to hear the guys own words on NPR this morning. On the positive side he correctly defined "hacker." On the negative side he clearly preferred a more restrictive disclosure policy that could be summarized as "Tell the vendor then shut the hell up and go away" When gently pressed he was prepared to allow notification of a "responsible" coordinating agency but he made very sure to never advocate anything so liberal as responsible full disclosure. I was busily making breakfast and coffee at the time so I might have missed an implication or two but these days the usual spin on "responsible" when linked to the word "agency" mean either government-sanctioned-&-corporate-owned or government-operated. Some security hackers find this a potentially scary thought.
Personally, I take responsibility for my own systems security. Based on the information I have I do my best to keep them buttoned down. Only in that way can I ethically place any blame on the persons that might try and crack them. (Of course I also know my limitations - if a true expert wants to smoke my systems I know they're gone. I'll be satisfied with keeping the worms and kiddies out whilst trusting that theres nothing on my own boxes that a true expert wants badly enough to put in the effort)
From this standpoint, anything other than responsible full disclosure denies me knowledge I need in order to make an informed decision about the risks I'm assuming. Similarly to do anything less myself, should I discover a security hole, is failing in my obligations to my colleagues.
To my mind he's advocating using the community as a source of free QA services whilst at the same time making sure that the vendors can get away with the old oxymoron of security through obscurity. Who'd bet against a government sponsored coordinating body being followed rapidly by laws prohibiting disclosure of holes other than through that body?
I had a
Regardless of the fact that it wasn't actually SnoSoft that officially published the exploit, even if they had, Clarke is basically saying that they went about things in pretty much the most appropriate manner.
On the drive in, NPR had an interview with this guy (Yes, I listen to NPR in the car. Yes, I'm old.) and his remarks there made it clear that he thinks reverse-engineering software to find security holes should be criminal unless the person doing it is employed as a computer security professional.
I'd rate him above-average on the clue-o-meter (certainly as federal gov't employees go!) but he's not a friend to the hackers by any stretch.
...where the RIAA is legally allowed to break into your computer and DDoS you, and you are legally allowed to use any hacking trick necessary to plug the software's "security holes," bugs, flaws and other "undocumented features" (to stop them), and so on. Boy, it could be fun for just...minutes!
Ok, I'm removing my tongue from my cheek now!
I'm not a geek, I'm just a clever script.
The thing is, network security weaknesses are rarely accidental. You can reliably predict the top five causes of security weaknesses:
- Buffer overflows
- Buffer overflows
- Buffer overflows
- Buffer overflows
- Buffer overflows
There's nothing at all accidental about why those are where the security weaknesses are - it's because most services are written in languages that make it very easy to overflow a buffer. What we need is a law that makes it a crime to do such poor software engineering.Be careful when you say that Clarke "encourages discovery of software bugs". On NPR this morning they mentioned Ed Felton and Dmitri (though not by name) asked Clarke if his statements at blackhat was consistent with the government's prosecution of people who find holes in software. Clarke responded that US law prohibits people who are not "security professionals" from intentionally looking for security holes in software, and that the reverse engineering of software to find holes in it is prohibited.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
What is 'my system'? I am responsible for the whole shebang: NT servers, 2k terminal servers, Linux firewalls and web servers, NT desktops, wireless access points.
How can I attack my own systems without attacking someone else's 'intellectual property' or some such BS? I can't. But by the terms of the licenses (even the GPL and BSD, I believe) I can't blame the people I got the software from.
Anyone living in the US, connecting to the US, or who has even heard of the US should not be doing computer security. Anyone who is doing even a reasonable job of it is checking into and poking into the products supplied by vendors. But this is illegal. The vendors can't be blamed. Only you. You can be blamed, but you don't legally have the right to do the thing/s that will make your work effective.
Run. Run and hide.
I said it in a response to a journal on this story (posted yesterday, BTW) but I'll say it again: in a fight between this guy and Ashcroft (which is what this essentially is), Ashcroft will win every time. The only way to get around the problem is to invalidate the disclaimer of warranty of merchantibility of a product. If nothing else, computer software must be fit for a specific purpose. At that point, GM and Walmart become aligned with anti-DMCA forces. Then Microsoft and the Senator from Disney get to see REAL political power.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
So if a member of the executive branch of the government publicly encourages you to break a law (DMCA), and you're then arrested, it would be considered entrapment right?
Unix is user friendly, it's just selective about who its friends are.
Does anyone really trust these clowns?
I mean, their past actions truly don't inspire a single grain of trust. Look at last week where the guy in Houston got busted by the court house for EXPOSING their wifi total lack of security (remember that they claimed he did $5000.00 in damage - no doubt that's exactly how much they paid for all the wifi stuff they had to shut down). Plus...just look at how easy they make it...try to do one good thing and some lawyer begins the mantra: DMCA..DMCA..DMCA.
Nice words you speak guy, but what did Clara say in the Wendy's commercials: "Where's the beef?"
Until I see the beef, I'm not trusting a single word you say....
So let me see where this puts us. Phred Programmer discoveres a buffer overflow that crashes IE. He tells his security professional about his discovery. Our "security professional" says "what's a buffer overflow?" and the whole thing falls on the floor.
Wait, let's try this again. Phred Programmer discovers a buffer overflow problem that crashes IE. He puts on his "security professional" hat and calls Microsoft. Microsoft says "So what? It crashes. BFD. We'll fix it on the next major release."
Phred Programmer waits until the next major release and the mess is still there. Remember, he's not supposed to write code to demonstrate this problem, or the potential harm, so Microsoft has no idea whether they've really fixed this problem.
So Phred Programmer calls the feds. They respond with "Huh? What's the big deal?" "Well, you could exploit this and hack with full administrator priviliges", says Phred Programmer. "Sounds far-fetched" say the feds. "But just in case you're right, I don't want you writing any code. Why don't you post your notions with Microsoft?" "But I already have and they promised a fix by the next major release", complains Phred Programmer.
"Hmm. We'll have to take it up with them."
And so, another major release goes by and still nothing. Meanwhile, somebody else figures out the breeched security and because the don't live in the US, they post a script for the kiddies to use.
Back to the present: Somebody explain to me why this scenario is not likely. Restricting this information to "security professionals" seems to me like an effort to sweep security problems under the rug.
Richard Clark's ideas suck, IMNSHO. He clearly has no concept of how bugs are discovered, demonstrated, and how the repair of those bugs is prioritized by software companies. Does anyone here really think Microsoft would have fixed those buffer overflow problems if no-one had written an exploit and published it? Does anyone here think that users in other countries will have any respect for stupid US policy (never mind the law)? Sheesh.
Nearly fifty percent of all graduates come from the bottom half of the class!
This guy was on NPR this morning. When asked about his remarks in context of the laws against such hacking he specifically said that he was talking about hacking by "security professionals" only and then only for the purpose of quietly notifying the software maker. In fact, he explicitly said it should remain illegal for any regular joe to hack or reverse engineer software looking for exploits just for the fun of it.
This guy is not your friend. He, like the rest of the administration, is solely concerned with corporate interests. What he has in mind here is definitely not exposing exploits and causing bad corporate PR. It is the quiet uncovering of holes and the quiet informing of the software makers so they can issue mystery patches.
The reasoning behind that I suppose is to keep malicious hackers from using public exploits. But in reality, by the time the so called "security experts" stumble on the holes, the real evil hackers have already known about them for a long time. This is just more the "keep the problem secret and it will go away" policy that has gotten us into trouble.
The way I see this issue is that I have an ethical responsibility to other users of a product to inform them of any security flaws I find. The EULA of most propriety software contain disclaimers as to fitness of use and the end users have no legal recourse for any damages incurred. In other words they put out crappy, bug ridden, security flawed software and they expect use to shut up and just use it. To not publish any security problem is to leave every user unaware of the problem and therefore open to potential damage. I say full public disclosure up front of all bugs and security problems with just enough technical detail to verify the problem. No need to provide the script kiddies with automatic tools that they can use. Perhaps the propriety software companies will start to put out a better quality product if they know that any security problem or bug will be quickly published. The end users decision might be to start using some open source software that can be fixed a lot quicker than the insecure propriety software.
zenray
The "old breaking into a house" analogy only really applies (and usually poorly) to hacking (cracking) into private systems not owned by the hacker (cracker). Hacking a computer program (or stand alone device or system) that is owned or otherwise legimately accessible by the hacker is an entirely different scenario.
This case is more like a builder or an engineer (or Bob Villa) testing different building materials, home construction methods, and security products for safety and applicability. Even materials that have been generally approved for use often need to be tested before (and sometimes after) being used in a particular way. You're not breaking into someone else's house, and you're not stealing or destroying someone else's technology. You're simply thoroughly testing something to see if it meets your needs. In general, you should be free to tell others the results of your testing. If it doesn't even stand up to specification, then you're pretty well obliged to warn others (legally so if you're an engineer), including the supplier. In no case should you be prosecuted for telling people that the product doesn't work or shouldn't be used for certain applications, and for telling people why or why not (unless you're being maliciously libel).
This perspective on hacking is much closer to the original sense of the word and is what's done every day by virtually any manufacturing or construction company, as well as individuals, academics, journalists, and consumer groups. I think that the U.S. computer security advisor is simply suggesting that computer products should be treated no differently from building materials so even though companies might want to restrict testing, reverse engineering, and negative publicity, it is not in the interest of public rights and safety. The only grey area is where computer systems include both public and private elements and there is less of a natural distinction between testing and trespassing. In the real world such evaluations might be done by third party audit, but again, the boundaries are much clearer, and as the parent comment mentioned, computer technology is less mature and harder to test exhaustively.
My next sig will be ready soon, but friends can beat the rush!
...so while they can notify the companies, they won't be able to release to the public exact details on how to break in.
You mean something like: DMCA v.1 rev. 1
I'd rather be sailing...
He said that he encourages those in the computer security field (but not anybody else) to run and attempt to crack industry software on their own computers (but not anybody else's) - ignoring the fact that this violates the DMCA - and then report any vulnerabilities to the government (as well as the manufacturer).
This seems like a tinly-veiled attempt to give the NSA a few more backdoors to me.
I vote for a 1-week courtesy notification period before a full, public disclosure - no matter who you are, or how much money you have.
Suppose I find a vulnerability in some random company's web site. After telling them about it, whom else do I tell? The NIPC?
And same for a widely used piece of software - after the software company, who in the government gets the report?
There are several languages in wide use today where the most idiomatic way to handle strings is immune to buffer overflows. Perl, for example. The worst a buffer-overflow attacker could do against a well-written Perl service is cause the network service to run out of memory and die. Admittedly that is a kind of denial-of-service attack, but it's not the worse thing that could happen.
And I'm sure that a dedicated C programmer could write a Perl program that would be vulnerable to buffer overflows, but only if he departed from "idiomatic Perl" and lapsed back into his bad C habits. Sort-of a variation of "A good Fortran programmer can write spaghetti code in any language!".
But even Perl is no magic bullet. Fix the buffer overflow problem and then the attackers start chiseling away at other stuff, like file race conditions. In the end, there's no substitute for solid software engineering.
For that matter, who set the standard so low that buffer overflows were ever tolerated?
Simple economics. It mostly works, no we didn't test every boundary condition, but the way we wrote it such testing/verification would be impossible, so ship it.
"but I guess saying 'Bush Adviser Encourages Discovery of Software Bugs' just didn't have enough zing."
Getting a little nit-picky here? I suspect he used hackers to describe anybody who can gain unauthorized access to otherwise restricted systems, not someone who is encouraged to find out why a "bug" caused the DoD's wargames application to crash. Yep, there's a reason he used the word "hacker" and not "software bugs hunter". I know entry can be exploited using system bugs, but hacking is obviously more than just exploiting "bugs", or did the poster just happen to miss the story immedietly following this one? A hacker is a combination of skills, not just a "bug hunter"... Which is probably why good ol' Clark used the popular definition in the first place.
You need a FREE iPod Nano
pretty good chance you'll get sued/fined/imprisoned due to the DMCA.
Sued/fined? I have a hard enough time convincing the people that I work with that there is a difference between PHP and HTML. And they are reasonably intelligent people. Try convincing G.W. that there is a difference between "hackers" and "malicious hackers". Problem solved, label them all as terrorists and throw them in jail forever. The DMCA is the last thing I'd be worried about.
- Relativistic? That's barely Newtonian!
That would make the DMCA inapplicable. He'll get fired for sure. M$ and the xxAAs will have a hit squad gunning for his ass.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
One thing I learned when listening to the Steven Soderbourgh commentary on Traffic was that... set your faces to shocked... politicians are much more objective than you think.
/. want it gets tossed out in favor of waiting for something better to come along. Heh, if that is your modus operandi, you're going to be waiting a very long time.
The problem is that we, the constituents, do not elect them for objectivity but for being subjective, stubborn, and close-minded. It's true... that's how you get elected (or stay in office).
So what is Richard Clarke doing here? It is quite possible he is beginning to switch popular perception. Using "hacker" correctly is a good start. And I assume most of us can agree that this is a step in the right direction.
The problem is that too many of the posts in this thread say "He isn't going far enough, therefore its a complete waste of time." because "the end users will never know any better."
Well I hate to say it, but this is how you get the end users informed: slowly start moving in the right direction, educating the masses, letting them put their fears to rest bit by bit. I think Clarke could really start something here IF we, the supposed IT professionals, didn't just discard what he says right off of the bat.
As a sidebar, I always wondered why people don't try for more publicity campaigns to get laws passed... especially in foreign countries. Bush can say no to Kyoto because the American people don't care/want him to. You can't much expect to force a population to do what you want by saying "You are an idiot! Think differently!" (and it hasn't ever worked).
So why don't all concerned parties deluge primetime with an ad campaign? Slowly change popular opinion? Maybe in a year you could get huge differences. The key to remember is that politicians are nothing more than fonts of popular opinion. Clinton proved it. G Dubs is proving it: it doesn't matter what you think it matters what the people believe you think by what you say.
Clarke seems to be doing that but since it isn't the Free Software/Free Beer/Free Nekkid solution so many on
What is music when you despise all sound?
... is just the flip side of different than "break it 'till it's fixed"
As mentioned previously, NPR had a good interview with Clarke on Morning Edition today. The interviewer even researched the story enough to know the Felton case. Most impressive.
Their stream is here.
Good Lord, I've deep-linked to NPR.
I heard this guy on NPR this morning asked another question about current laws and their application. The answer was very different than the initial quote suggests. He implied that only professionals should be allowed to "hack" software and that those that backward engineer software for "fun" should be prosecuted.
Seems like he wasn't really saying that it was okay to hack software in your possession. It really was just you can hack software in your possession if you work for a company involved in computer security.
So what kinds of people is this really aimed at? Seems to be aimed just at campaign contributors who own or run Software Security Companies?
I also heard Mr. Clark on NPR this morning and liked most of what I heard until he said only Security Professionals should try and find bugs and that anyone else who does is assumed to be doing it with criminal motive. I'm sorry I thought in our country guilt was not assumed but proven.
"If there are legal protections they don't have that they need, we need to look at that,"
No hurry!!
Of course. Plea to all the competent computer folks to get themselves locked up so the gov't can look like it knows what it's doing in the eyes of all the non-criminals.
It's an attitude thing.
Your classical C programmer regards memory management as something too important for the compiler to take care of.
OTOH your classical Perl programmer regards memory management as too important for the programmer to take care of.
If only "Security Professional" can legally investigate security flaws, how does one become such a "Security Professional"?
It seems you have to start your first day at the job with absolutely no experience in the field.
I know, it's gonna be a licensed profession like doctors or lawyers, with its own lobby organization, barriers of entry and all the rest. Oh well...
Of course, after this, they will probably make sure to get a court order forcing you to keep your mouth shut and there won't be a thing you can do about it after that.
At least by public disclosure you can offer the legitimate defense that for a company whose internal affairs are unknown (which would generally be the case except for people who actually worked there), public disclosure is the only way to be sure that they will actively try to fix the problem.
Trying to talk to the company privately first will, more often than not, get you nowhere because the only bugs that a company will bother to fix are the ones that actually _cause_ problems. They have too many other things to worry about to bother to fix things that *MIGHT* be exploited later.
File under 'M' for 'Manic ranting'
Ok, so the security professional finds a big flaming hole - yet can't come up with the code to prove his hypothesis.. He calls up software company A, if he's lucky he manages to wade through the phone system and find a human. "blah blah thank you for your interest in our products we here at Co. A take our customers satisfaction very seriously we'll take that issue under advisement .."
So he calls up some magical government agency (department of computer experts?).. Hell - he calls the FDA, for all the good its going to do. "Thank you for calling the FDA we care deeply about your concerns blah blah dont smoke winners dont use drugs"
So he's fed up, and wants the problem fixed; perhaps NEEDS the problem fixed, because he's got script kiddies driving herds of elephants through that hole in his system.
So he goes public - without writing an exploit, and posts "Software Co. A is knowingly selling unsecure software" on the web somewhere or in some industry mag.
Now, without proof to backup his claims, he's on the recieving end of a libel lawsuit. After all, a security expert talking down Software Co. A costs them a gazillion dollars a word in a lawyers eyes.
So he proves it with an exploit - or even worse - a workaround/patch of his own, violating the DMCA, and spends the next 5 years doing all his port-sniffing in a prison shower.
His response to the Felton case is that a Uni. comp sci professor isn't an 'expert'? A cryptogropher like Dmitri isn't either? Is he? Cause if he ain't, how dare he suggest any software has bugs in the first place.
Where do I go to enroll in Security Expert school? Sounds even better than Bovine University.
I don't need no instructions to know how to rock!!!!
Look it up yourself. The Miami Herald did a full recount, and determined that Gore would have taken Florida if the votes had actually been counted during the election.
There was a big media splash, but there was no change because the votes do not count in an election in Florida as long as your brother is Governor there and your party owns the Secretary of State and the United States Supreme Court.
>What crimes did the above-referenced gentlemen commit
Olsen was behind the slanderous lies printed in the American Spectator about Bill Clinton that were used by Ken Starr to keep open his grand jury for the term of the President. Now he's the General Counsel at the Department of Justice.
Ashcroft had most of his judgments in the Mississipi courts sealed from public scrutiny, yet he has been put in charge of enforcing the laws we're not allowed to be ignorant of.
Pitt is the guy who was the chief lobbyist for big business during the Clinton years, and specifically lobbied against legislation that would have stopped CEOs from committing the sort of frauds that led to the bubble and its downfall.
In all cases, these are the worst possible choices for these jobs. The fox is in the henhouse, and America's future is an egg on a narrow ledge.
>when were they convicted?
I didn't say they were convicted criminals. I said they were crooks.
--Blair
You need to understand the difference between saying something false/wrong (what you believe I accuse you of), and saying something unsubstantiated (what I actually think you did).
Actually, I didn't start this thread, I just jumped in randomly.
Finkployd
According to the BBC, the Miami-Herald concluded that Bush had won. I'm not willing to pay MH to see its old article on the subject, especially when all the online sources I can find agree with the BBC here.
The fact is, you just lied. The MH determined the exact opposite of what you claimed.
-Billy