Slashdot Mirror
U.S. Computer Security Advisor Encourages Hackers
DarklordSatin writes: "According to this Associated Press article, which I was pointed to by the nice guys over at Ars Technica, Richard Clarke, Dubya's Computer Security Advisor, wants to encourage hackers to find security holes in software. Although he feels that the system only works when the hackers show 'good faith' and disclose the holes to the company before the public, he wants to start offering more legal protection to hackers and that is a very good step in the right direction." As the folks at Ars point out, though, "Naturally, Mr. Clark was using the original, more generalized, definition of "hacker", but I guess saying 'Bush Adviser Encourages Discovery of Software Bugs' just didn't have enough zing."
If only the left hand knew what the right hand was doing...
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
If something like this made it anywhere near being a policy decision, when the popular press got ahold of it, it would not last very long. Joe Sixpack doesn't know much about computers, but he knows the word 'hacker' and he knows that it's mapped to the word 'bad'. So when anyone suggests letting (hackers=>bad people) near our critical computers (which all computers are...) then Joe goes on the warpath and gets it struck down.
Which is more surprising: Government representative supports hackers, or Government representative uses correct meaning of "Hacker".
Maran
Being publicly accountable makes a company more diligent with security and bug testing. The only downside to public announcements is that every hacker out there now knows about it. The upside to THAT is that the company now has a hell of a lot of incentive to patch the hole in a prompt manner. Just my 2c!
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
Now I hope that a USA Citizen tells them that they are encouraging something that is outlawed by the DMCA.
There's a pretty good chance you'll get sued/fined/imprisoned due to the DMCA. Of course, the advisor did say that some legal protection for hackers should be in place to prevent such a mess.
These days, with "corporate fraud" being the buzzword d'jeur, one could make a very strong argument that the DMCA encourages corporate fraud because it allows companies to sweep their product defects under the carpet.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
There was the incident of the fellow who discovered that the New York Times was left wide open by FrontPage. So he called to tell them, and was promptly arrested. I wonder if Mr. Clarke thinks that's fair.
I suggest that a US citizen send them a fax or two about Hewlett Packard.
I think what he meant was people who try to break their own systems to find bugs in them. Not the people who mindlessly hack into other peoples web pages and change them because they have no time.
He means responsible hackers who just find the problems and notify the company. Not hack into banks or your computer.
It is perfectly legal for someone to try to defeat their own home security system. While it is not legal for them to break someone elses (unless requested.)
Not a very slippery slope at all if you look closer. All he wants is for people who discover or uncover problems on their own little systems or labs to be allowed to tell the companies. Or even just let these people find the problems on their own. As well, he wants to legislate it a bit more, so while they can notify the companies, they won't be able to release to the public exact details on how to break in.
Just like, if I discovered that my security system on my car was easily breakable. I could tell the company, and let my friends know there is a problem. But I cannot publish a detailed paper explaining how to unlock doors with a screwdriver and some patience.
~ kjrose
This is more like an architect taking a model of your house, finding the weaknesses, and telling the manufacturer about it so they can fix your house before someone malicious takes advantage of it.
I wonder how long the "hacker" should give the company. And is the government really the next best step? I work for the government and I seriously doubt that will get the ball rolling.
The obvious problem with full disclosure, of course, is making malicious hackers and even terrorists aware of the problem. Solutions anyone?
Can I bum a sig?
system only works when the hackers show 'good faith'
who gets to decide what a hacker did was in 'good faith'? These proposed laws mixed with the DMCA should make the credibiliy of the system less than it is currently treading at...
Jesus saves souls and redeems them for valuable cash prizes
The difference with homes is that everyone knows what they are, what they're for and the most common routes of security breakage.
When we got a security system installed at my current place, I slinked around and tried to get around without being seen by the motion detectors. Eventually I found a way to get from the back door to my computer without triggering a single motion detector. This resulted in us having them moved around.
Computers, in contract, are big nebulous boxes and most people don't know much about how they work or how to secure them. This is why they should be treated differently than homes with respect to how the security is tested.
A more interesting quote is in this CNN article.
Umm, really? To whom in the government? The Department of Fixing Stuff? The FBI? The FTC? The DoJ? Gosh, that'll keep (e.g.) Microsoft on their toes. Bwahahahaha!
Precedent would suggest that a more likely result will be the jailing of the hacker, and the awarding of a fat contract to the vendor.
Thanks all the same, but this is just some guy in a suit. When it's written up in law by Congress, signed by G.W.Bush, and delivered to the Library of Congress by flying pig courier, I might change my mind.
If you were blocking sigs, you wouldn't have to read this.
I listened to an interview with Richard Clarke this morning on NPR. He basically said that he *knows* that this is outlawed by the DMCA (and other laws against hacking) and suggested that computer professionals try to break only to their own systems, so as to avoid legal wrath.
Except that HP is threatening the DMCA against the group who (notified and) publicized the Tru64 vulnerability. AFAIK, this vulnerability was found by their examination of their own systems.
When I was a kid, we only had one Darth.
I heard the NPR Morning Edition interview with Richard Clarke this morning. Yes, Clarke encourages "hackers" to take find security holes, but be responsible: after discovering the security hole, notify the government and the manufacturer, but DO NOT tell the world. Clarke argues that he wants the software manufacturer to have time to develop a patch before announcing the vulnerability.
Clarke also said he wants "Computer Security Specialists" to hack and not the people doing it for fun. This ambiguity is the problem: how do you define "Computer Security Specialist"? Most of everything I learned about IT came through hacking for fun. Now I'm employed as a "Computer Security Specialist."
"I'm The Bounty Bear. I will find him anywhere. I'm searching."
we need to get Richard Clarke to do a slashdot interview. I think this would be an enormous opportunity for the slashdot readers to find out what someone high up thinks about the dmca and its effects to the community. It will also give Richard Clarke the opportunity to here the concerns right from the community instead of from corp. reps.
The Kruger Dunning explains most post on
Disclaimer: My personal side in the above-mentioned debate is already decided. I advocate responsible full disclosure. Tell the vendor first, but dont agree to any NDAs and always make it clear to the vendor that after a reasonable delay you go public with everything you've got relating to the hole.
Having proclaimed my bias, it was interesting to hear the guys own words on NPR this morning. On the positive side he correctly defined "hacker." On the negative side he clearly preferred a more restrictive disclosure policy that could be summarized as "Tell the vendor then shut the hell up and go away" When gently pressed he was prepared to allow notification of a "responsible" coordinating agency but he made very sure to never advocate anything so liberal as responsible full disclosure. I was busily making breakfast and coffee at the time so I might have missed an implication or two but these days the usual spin on "responsible" when linked to the word "agency" mean either government-sanctioned-&-corporate-owned or government-operated. Some security hackers find this a potentially scary thought.
Personally, I take responsibility for my own systems security. Based on the information I have I do my best to keep them buttoned down. Only in that way can I ethically place any blame on the persons that might try and crack them. (Of course I also know my limitations - if a true expert wants to smoke my systems I know they're gone. I'll be satisfied with keeping the worms and kiddies out whilst trusting that theres nothing on my own boxes that a true expert wants badly enough to put in the effort)
From this standpoint, anything other than responsible full disclosure denies me knowledge I need in order to make an informed decision about the risks I'm assuming. Similarly to do anything less myself, should I discover a security hole, is failing in my obligations to my colleagues.
To my mind he's advocating using the community as a source of free QA services whilst at the same time making sure that the vendors can get away with the old oxymoron of security through obscurity. Who'd bet against a government sponsored coordinating body being followed rapidly by laws prohibiting disclosure of holes other than through that body?
I had a
On the drive in, NPR had an interview with this guy (Yes, I listen to NPR in the car. Yes, I'm old.) and his remarks there made it clear that he thinks reverse-engineering software to find security holes should be criminal unless the person doing it is employed as a computer security professional.
I'd rate him above-average on the clue-o-meter (certainly as federal gov't employees go!) but he's not a friend to the hackers by any stretch.
The thing is, network security weaknesses are rarely accidental. You can reliably predict the top five causes of security weaknesses:
- Buffer overflows
- Buffer overflows
- Buffer overflows
- Buffer overflows
- Buffer overflows
There's nothing at all accidental about why those are where the security weaknesses are - it's because most services are written in languages that make it very easy to overflow a buffer. What we need is a law that makes it a crime to do such poor software engineering.Be careful when you say that Clarke "encourages discovery of software bugs". On NPR this morning they mentioned Ed Felton and Dmitri (though not by name) asked Clarke if his statements at blackhat was consistent with the government's prosecution of people who find holes in software. Clarke responded that US law prohibits people who are not "security professionals" from intentionally looking for security holes in software, and that the reverse engineering of software to find holes in it is prohibited.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
What is 'my system'? I am responsible for the whole shebang: NT servers, 2k terminal servers, Linux firewalls and web servers, NT desktops, wireless access points.
How can I attack my own systems without attacking someone else's 'intellectual property' or some such BS? I can't. But by the terms of the licenses (even the GPL and BSD, I believe) I can't blame the people I got the software from.
Anyone living in the US, connecting to the US, or who has even heard of the US should not be doing computer security. Anyone who is doing even a reasonable job of it is checking into and poking into the products supplied by vendors. But this is illegal. The vendors can't be blamed. Only you. You can be blamed, but you don't legally have the right to do the thing/s that will make your work effective.
Run. Run and hide.
I said it in a response to a journal on this story (posted yesterday, BTW) but I'll say it again: in a fight between this guy and Ashcroft (which is what this essentially is), Ashcroft will win every time. The only way to get around the problem is to invalidate the disclaimer of warranty of merchantibility of a product. If nothing else, computer software must be fit for a specific purpose. At that point, GM and Walmart become aligned with anti-DMCA forces. Then Microsoft and the Senator from Disney get to see REAL political power.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
So let me see where this puts us. Phred Programmer discoveres a buffer overflow that crashes IE. He tells his security professional about his discovery. Our "security professional" says "what's a buffer overflow?" and the whole thing falls on the floor.
Wait, let's try this again. Phred Programmer discovers a buffer overflow problem that crashes IE. He puts on his "security professional" hat and calls Microsoft. Microsoft says "So what? It crashes. BFD. We'll fix it on the next major release."
Phred Programmer waits until the next major release and the mess is still there. Remember, he's not supposed to write code to demonstrate this problem, or the potential harm, so Microsoft has no idea whether they've really fixed this problem.
So Phred Programmer calls the feds. They respond with "Huh? What's the big deal?" "Well, you could exploit this and hack with full administrator priviliges", says Phred Programmer. "Sounds far-fetched" say the feds. "But just in case you're right, I don't want you writing any code. Why don't you post your notions with Microsoft?" "But I already have and they promised a fix by the next major release", complains Phred Programmer.
"Hmm. We'll have to take it up with them."
And so, another major release goes by and still nothing. Meanwhile, somebody else figures out the breeched security and because the don't live in the US, they post a script for the kiddies to use.
Back to the present: Somebody explain to me why this scenario is not likely. Restricting this information to "security professionals" seems to me like an effort to sweep security problems under the rug.
Richard Clark's ideas suck, IMNSHO. He clearly has no concept of how bugs are discovered, demonstrated, and how the repair of those bugs is prioritized by software companies. Does anyone here really think Microsoft would have fixed those buffer overflow problems if no-one had written an exploit and published it? Does anyone here think that users in other countries will have any respect for stupid US policy (never mind the law)? Sheesh.
Nearly fifty percent of all graduates come from the bottom half of the class!
This guy was on NPR this morning. When asked about his remarks in context of the laws against such hacking he specifically said that he was talking about hacking by "security professionals" only and then only for the purpose of quietly notifying the software maker. In fact, he explicitly said it should remain illegal for any regular joe to hack or reverse engineer software looking for exploits just for the fun of it.
This guy is not your friend. He, like the rest of the administration, is solely concerned with corporate interests. What he has in mind here is definitely not exposing exploits and causing bad corporate PR. It is the quiet uncovering of holes and the quiet informing of the software makers so they can issue mystery patches.
The reasoning behind that I suppose is to keep malicious hackers from using public exploits. But in reality, by the time the so called "security experts" stumble on the holes, the real evil hackers have already known about them for a long time. This is just more the "keep the problem secret and it will go away" policy that has gotten us into trouble.
" and then report any vulnerabilities to the government (as well as the manufacturer)."
... no auto responder or nothing. ( I mailed the back weeks later and said I was shocked that I got no response and still got nothing back). I then called the NIPC hotline 3 times. The first 2 times I called I spoke to someone that should have been flopping whoppers "uhhhh a non-executable computer security what... let me send you to so and so's voicemail". Then I called back a week later and gave them the CERT vu numbers (after CERT finally responed). I left my cell phone number on someones voicemail again at NIPC... no one called me back.
If this message from Snosoft is any indication, I wouldn't have much confidence in reporting to the government either.
From: KF
To: full-disclosure@lists.netsys.com ; bugtraq@securityfocus.com ; recon@snosoft.com
Sent: Wednesday, July 31, 2002 7:42 PM
Subject: [Full-Disclosure] for the record... (Tru64 / Compaq)
http://www.msnbc.com/news/788216.asp?0dm=T14JT
Clarke cautioned that hackers should be responsible in reporting programming mistakes. A hacker should contact the software maker first, he said, then go to the government if the software maker does not respond soon.
--
For the record... we contacted HP(at the time Compaq), and CERT several times. I attached the original version of our su exploit (not the one that phased leaked) to NIPC and to CERT BOTH. We recieved an extremely long delay at CERT before they even responded. At that point I called CERT 2 times to see what the heck was going on and eventually I establish contact (Ian Finley). I also mailed nipc.watch@nipc.gov or whatever the email address on their page was. They didn't mail back
I deeply regret the fact that one of my team members plagerized another and leaked some code but my god people WE TRYED to give SEVERAL people a heads up!
-KF