Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. Computer Security Advisor Encourages Hackers

Posted by timothy on from the grain-of-salt-to-choke-a-volcano dept.

DarklordSatin writes: "According to this Associated Press article, which I was pointed to by the nice guys over at Ars Technica, Richard Clarke, Dubya's Computer Security Advisor, wants to encourage hackers to find security holes in software. Although he feels that the system only works when the hackers show 'good faith' and disclose the holes to the company before the public, he wants to start offering more legal protection to hackers and that is a very good step in the right direction." As the folks at Ars point out, though, "Naturally, Mr. Clark was using the original, more generalized, definition of "hacker", but I guess saying 'Bush Adviser Encourages Discovery of Software Bugs' just didn't have enough zing."

16 of 275 comments (clear)

  1. break programs? by stray · · Score: 5, Funny
    From the article: A presidential advisor encouraged the nation's top computer security professionals and hackers Wednesday to try to break computer programs, but said they might need protection from the legal wrath of software makers.

    ... and there I was, thinking that most computer programs were broken to begin with. How about encouraging computer professionals to *fix* programs?

  2. so US security has a bit of a clue by Jucius+Maximus · · Score: 5, Interesting
    They recognise that 'hacking' is a good way of helping to secure systems, which is good.

    Now I hope that a USA Citizen tells them that they are encouraging something that is outlawed by the DMCA.

    1. Re:so US security has a bit of a clue by Surak · · Score: 4, Informative

      I listened to an interview with Richard Clarke this morning on NPR. He basically said that he *knows* that this is outlawed by the DMCA (and other laws against hacking) and suggested that computer professionals try to break only to their own systems, so as to avoid legal wrath.

      Uhhh...yeah, isn't this what computer security professionals do *already* as part of the normal course of their everyday jobs? (If not, they *should* :-P)

      --
      My journal has hot /. gossip.
  3. Of course, if you go out and actually do this... by Rude+Turnip · · Score: 5, Interesting

    There's a pretty good chance you'll get sued/fined/imprisoned due to the DMCA. Of course, the advisor did say that some legal protection for hackers should be in place to prevent such a mess.

    These days, with "corporate fraud" being the buzzword d'jeur, one could make a very strong argument that the DMCA encourages corporate fraud because it allows companies to sweep their product defects under the carpet.

    --
    Bill Clinton: Pimp we can believe in. - The Shirt!!!
  4. Re:Hackers (not a slippery slope at all) by MarvinMouse · · Score: 4, Insightful

    I think what he meant was people who try to break their own systems to find bugs in them. Not the people who mindlessly hack into other peoples web pages and change them because they have no time.

    He means responsible hackers who just find the problems and notify the company. Not hack into banks or your computer.

    It is perfectly legal for someone to try to defeat their own home security system. While it is not legal for them to break someone elses (unless requested.)

    Not a very slippery slope at all if you look closer. All he wants is for people who discover or uncover problems on their own little systems or labs to be allowed to tell the companies. Or even just let these people find the problems on their own. As well, he wants to legislate it a bit more, so while they can notify the companies, they won't be able to release to the public exact details on how to break in.

    Just like, if I discovered that my security system on my car was easily breakable. I could tell the company, and let my friends know there is a problem. But I cannot publish a detailed paper explaining how to unlock doors with a screwdriver and some patience.

    --
    ~ kjrose
  5. Re:Hackers by MagPulse · · Score: 4, Informative

    This is more like an architect taking a model of your house, finding the weaknesses, and telling the manufacturer about it so they can fix your house before someone malicious takes advantage of it.

  6. Ethics by YanceyAI · · Score: 4, Interesting
    This is an interesting ethical question. Clarke said the hackers should be responsible about reporting the programming mistakes. A hacker should contact the software maker first, he said, then go to the government if the software maker doesn't respond soon. The philosophy is good in theory, but often large companies ignore problems to avoid the press and/or expense of fixing the security hole.

    I wonder how long the "hacker" should give the company. And is the government really the next best step? I work for the government and I seriously doubt that will get the ball rolling.

    The obvious problem with full disclosure, of course, is making malicious hackers and even terrorists aware of the problem. Solutions anyone?

    --
    Can I bum a sig?
    1. Re:Ethics by jafac · · Score: 5, Insightful

      That's bullshit.

      If some shadetree mechanic is working on his buddie's Camaro, and finds a manufacturing defect that ought to prompt a safety recall - he goes to the manufacturer and most likely gets promptly ignored (for the sake of argument here). He can then go to something like Consumer Affairs, but he sure as hell doesn't have to. He can go straight to the press to warn people that their Camaros (or whatever) are going to fall apart at 88 miles per hour.

      That is PRECISELY what the hackers are doing - they're going to the press.
      Respected, established, journalistic entities, specializing in the field of computer security. 2600 magazine, BugTraq, etc.

      Not publishing a security hole, not being able to report something to the press, THAT is an abridgement of free speech. It's BULLSHIT that someone needs to be an "employed security professional" to have the right to work on computers and find bugs.

      --

      These are my friends, See how they glisten. See this one shine, how he smiles in the light.
  7. Run to Uncle Sam? by Rogerborg · · Score: 4, Interesting

    A more interesting quote is in this CNN article.

    • "A hacker should contact the software maker first, he said, then go to the government if the software maker does not respond soon."

    Umm, really? To whom in the government? The Department of Fixing Stuff? The FBI? The FTC? The DoJ? Gosh, that'll keep (e.g.) Microsoft on their toes. Bwahahahaha!

    Precedent would suggest that a more likely result will be the jailing of the hacker, and the awarding of a fat contract to the vendor.

    Thanks all the same, but this is just some guy in a suit. When it's written up in law by Congress, signed by G.W.Bush, and delivered to the Library of Congress by flying pig courier, I might change my mind.

    --
    If you were blocking sigs, you wouldn't have to read this.
  8. INTERVIEW THIS GUY by geekoid · · Score: 5, Interesting

    we need to get Richard Clarke to do a slashdot interview. I think this would be an enormous opportunity for the slashdot readers to find out what someone high up thinks about the dmca and its effects to the community. It will also give Richard Clarke the opportunity to here the concerns right from the community instead of from corp. reps.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    1. Re:INTERVIEW THIS GUY by pmz · · Score: 4, Interesting

      we need to get Richard Clarke to do a slashdot interview.

      This is a good idea. A natural extension to this would be to invite other goverment figures, such as Justice Department officials or members of Congress. People who have an interest in federal or international technology policies might appreciate the open, yet moderated, forum of Slashdot. This could be an example of the U.S. goverment at its best.

      This could be an easier way for people to "write their Congressmen", since there really is a lower courage threshold when posting to Slashdot (yes, writing Congressmen isn't trivial for many people, even though it should be).

      --
      Healthcare article at Kuro5hin
  9. Contrary to his remarks on NPR this morning by JUSTONEMORELATTE · · Score: 4, Informative

    On the drive in, NPR had an interview with this guy (Yes, I listen to NPR in the car. Yes, I'm old.) and his remarks there made it clear that he thinks reverse-engineering software to find security holes should be criminal unless the person doing it is employed as a computer security professional.

    I'd rate him above-average on the clue-o-meter (certainly as federal gov't employees go!) but he's not a friend to the hackers by any stretch.

  10. What is mine? by gmhowell · · Score: 4, Insightful

    What is 'my system'? I am responsible for the whole shebang: NT servers, 2k terminal servers, Linux firewalls and web servers, NT desktops, wireless access points.

    How can I attack my own systems without attacking someone else's 'intellectual property' or some such BS? I can't. But by the terms of the licenses (even the GPL and BSD, I believe) I can't blame the people I got the software from.

    Anyone living in the US, connecting to the US, or who has even heard of the US should not be doing computer security. Anyone who is doing even a reasonable job of it is checking into and poking into the products supplied by vendors. But this is illegal. The vendors can't be blamed. Only you. You can be blamed, but you don't legally have the right to do the thing/s that will make your work effective.

    Run. Run and hide.

    I said it in a response to a journal on this story (posted yesterday, BTW) but I'll say it again: in a fight between this guy and Ashcroft (which is what this essentially is), Ashcroft will win every time. The only way to get around the problem is to invalidate the disclaimer of warranty of merchantibility of a product. If nothing else, computer software must be fit for a specific purpose. At that point, GM and Walmart become aligned with anti-DMCA forces. Then Microsoft and the Senator from Disney get to see REAL political power.

    --
    Jesus was all right but his disciples were thick and ordinary. -John Lennon
  11. Re:Just be sure not to give out your name... by ibsteveog · · Score: 4, Informative
    Well, you got the concept right and all the facts wrong...

    The fellow was Brian West, who worked for an ISP, and he did a little more than just "discover" the security hole in the Poteau Daily News website. A link to more info..

  12. Rehash of NPR's Morning Edition Interview by AB3A · · Score: 5, Interesting
    I heard this interview this morning. What he said was not encouraging. He wants "security professionals" to do the hacking --not programmers or kids down the street. He wants them to reveal the exploit without offering code demonstrating it, and he wants to keep it all secret. He made no mention of any time limits before one should give up and go public with this information.

    So let me see where this puts us. Phred Programmer discoveres a buffer overflow that crashes IE. He tells his security professional about his discovery. Our "security professional" says "what's a buffer overflow?" and the whole thing falls on the floor.

    Wait, let's try this again. Phred Programmer discovers a buffer overflow problem that crashes IE. He puts on his "security professional" hat and calls Microsoft. Microsoft says "So what? It crashes. BFD. We'll fix it on the next major release."

    Phred Programmer waits until the next major release and the mess is still there. Remember, he's not supposed to write code to demonstrate this problem, or the potential harm, so Microsoft has no idea whether they've really fixed this problem.

    So Phred Programmer calls the feds. They respond with "Huh? What's the big deal?" "Well, you could exploit this and hack with full administrator priviliges", says Phred Programmer. "Sounds far-fetched" say the feds. "But just in case you're right, I don't want you writing any code. Why don't you post your notions with Microsoft?" "But I already have and they promised a fix by the next major release", complains Phred Programmer.

    "Hmm. We'll have to take it up with them."

    And so, another major release goes by and still nothing. Meanwhile, somebody else figures out the breeched security and because the don't live in the US, they post a script for the kiddies to use.

    Back to the present: Somebody explain to me why this scenario is not likely. Restricting this information to "security professionals" seems to me like an effort to sweep security problems under the rug.

    Richard Clark's ideas suck, IMNSHO. He clearly has no concept of how bugs are discovered, demonstrated, and how the repair of those bugs is prioritized by software companies. Does anyone here really think Microsoft would have fixed those buffer overflow problems if no-one had written an exploit and published it? Does anyone here think that users in other countries will have any respect for stupid US policy (never mind the law)? Sheesh.

    --
    Nearly fifty percent of all graduates come from the bottom half of the class!
  13. Hacking for "Security Professionals" only by Mr.Sharpy · · Score: 5, Insightful

    This guy was on NPR this morning. When asked about his remarks in context of the laws against such hacking he specifically said that he was talking about hacking by "security professionals" only and then only for the purpose of quietly notifying the software maker. In fact, he explicitly said it should remain illegal for any regular joe to hack or reverse engineer software looking for exploits just for the fun of it.

    This guy is not your friend. He, like the rest of the administration, is solely concerned with corporate interests. What he has in mind here is definitely not exposing exploits and causing bad corporate PR. It is the quiet uncovering of holes and the quiet informing of the software makers so they can issue mystery patches.

    The reasoning behind that I suppose is to keep malicious hackers from using public exploits. But in reality, by the time the so called "security experts" stumble on the holes, the real evil hackers have already known about them for a long time. This is just more the "keep the problem secret and it will go away" policy that has gotten us into trouble.