U.S. Computer Security Advisor Encourages Hackers

DarklordSatin writes: "According to this Associated Press article, which I was pointed to by the nice guys over at Ars Technica, Richard Clarke, Dubya's Computer Security Advisor, wants to encourage hackers to find security holes in software. Although he feels that the system only works when the hackers show 'good faith' and disclose the holes to the company before the public, he wants to start offering more legal protection to hackers and that is a very good step in the right direction." As the folks at Ars point out, though, "Naturally, Mr. Clark was using the original, more generalized, definition of "hacker", but I guess saying 'Bush Adviser Encourages Discovery of Software Bugs' just didn't have enough zing."

They will first encourage you

[PrimeNumber]

then put you in jail for DMCA violations.

Re:Hackers

[MagPulse]

This is more like an architect taking a model of your house, finding the weaknesses, and telling the manufacturer about it so they can fix your house before someone malicious takes advantage of it.

Re:so US security has a bit of a clue

[Surak]

I listened to an interview with Richard Clarke this morning on NPR. He basically said that he *knows* that this is outlawed by the DMCA (and other laws against hacking) and suggested that computer professionals try to break only to their own systems, so as to avoid legal wrath.

Uhhh...yeah, isn't this what computer security professionals do *already* as part of the normal course of their everyday jobs? (If not, they *should* :-P)

Re:Probably won't last

[Darkstar9969]

..Actually I heard him interviewed on NPR this morning. His whole story was that ONLY computer security professionals should engage in this type of "hacking". For everyone else no attempt should be made to reverse engineer or post exploits to the world. He did stop short of adding the popular closing "or the terrorists win" but really he was pushing M$'s security-through-obscurity line over and over again.

To his credit though, he did explain the difference between the current perception of hackers as being evil lawbreakers and the original definition of the old MIT hackers. He did broaden it just a bit by saying that old hackers were anyone who was into computers...whatever that means.

Mailing address

[tww-china]

Anyone have the mailing address of the President's Critical Infrastructure Protection Board (PCIPB)? Their home page is http://www.whitehouse.gov/pcipb/ but there's no address and the email address for feedback, feedback@who.eop.gov, doesn't work.

Interresting fuel for the full-disclosure debate

[davebooth]

Disclaimer: My personal side in the above-mentioned debate is already decided. I advocate responsible full disclosure. Tell the vendor first, but dont agree to any NDAs and always make it clear to the vendor that after a reasonable delay you go public with everything you've got relating to the hole.

Having proclaimed my bias, it was interesting to hear the guys own words on NPR this morning. On the positive side he correctly defined "hacker." On the negative side he clearly preferred a more restrictive disclosure policy that could be summarized as "Tell the vendor then shut the hell up and go away" When gently pressed he was prepared to allow notification of a "responsible" coordinating agency but he made very sure to never advocate anything so liberal as responsible full disclosure. I was busily making breakfast and coffee at the time so I might have missed an implication or two but these days the usual spin on "responsible" when linked to the word "agency" mean either government-sanctioned-&-corporate-owned or government-operated. Some security hackers find this a potentially scary thought.

Personally, I take responsibility for my own systems security. Based on the information I have I do my best to keep them buttoned down. Only in that way can I ethically place any blame on the persons that might try and crack them. (Of course I also know my limitations - if a true expert wants to smoke my systems I know they're gone. I'll be satisfied with keeping the worms and kiddies out whilst trusting that theres nothing on my own boxes that a true expert wants badly enough to put in the effort)

From this standpoint, anything other than responsible full disclosure denies me knowledge I need in order to make an informed decision about the risks I'm assuming. Similarly to do anything less myself, should I discover a security hole, is failing in my obligations to my colleagues.

To my mind he's advocating using the community as a source of free QA services whilst at the same time making sure that the vendors can get away with the old oxymoron of security through obscurity. Who'd bet against a government sponsored coordinating body being followed rapidly by laws prohibiting disclosure of holes other than through that body?

Contrary to his remarks on NPR this morning

[JUSTONEMORELATTE]

On the drive in, NPR had an interview with this guy (Yes, I listen to NPR in the car. Yes, I'm old.) and his remarks there made it clear that he thinks reverse-engineering software to find security holes should be criminal unless the person doing it is employed as a computer security professional.

I'd rate him above-average on the clue-o-meter (certainly as federal gov't employees go!) but he's not a friend to the hackers by any stretch.

No ACCIDENTAL WEAKNESSES

[shoppa]

He is only encouraging those who accidently find weaknesses to responsibly report them.

The thing is, network security weaknesses are rarely accidental. You can reliably predict the top five causes of security weaknesses:

1. Buffer overflows
2. Buffer overflows
3. Buffer overflows
4. Buffer overflows
5. Buffer overflows

There's nothing at all accidental about why those are where the security weaknesses are - it's because most services are written in languages that make it very easy to overflow a buffer. What we need is a law that makes it a crime to do such poor software engineering.

Re:Just be sure not to give out your name...

[ibsteveog]

Well, you got the concept right and all the facts wrong...

The fellow was Brian West, who worked for an ISP, and he did a little more than just "discover" the security hole in the Poteau Daily News website. A link [nipc.gov] to more info..

NPR Stream

[Dr.Seuss]

As mentioned previously, NPR had a good interview with Clarke on Morning Edition today. The interviewer even researched the story enough to know the Felton case. Most impressive.
Their stream is here. [npr.org]


Good Lord, I've deep-linked to NPR.

Re:I heard this guy on NPR this morning...

[homer_ca]

" and then report any vulnerabilities to the government (as well as the manufacturer)."

If this message from Snosoft is any indication, I wouldn't have much confidence in reporting to the government either.

From: KF
To: full-disclosure@lists.netsys.com ; bugtraq@securityfocus.com ; recon@snosoft.com
Sent: Wednesday, July 31, 2002 7:42 PM
Subject: [Full-Disclosure] for the record... (Tru64 / Compaq)

http://www.msnbc.com/news/788216.asp?0dm=T14JT

Clarke cautioned that hackers should be responsible in reporting programming mistakes. A hacker should contact the software maker first, he said, then go to the government if the software maker does not respond soon.

--

For the record... we contacted HP(at the time Compaq), and CERT several times. I attached the original version of our su exploit (not the one that phased leaked) to NIPC and to CERT BOTH. We recieved an extremely long delay at CERT before they even responded. At that point I called CERT 2 times to see what the heck was going on and eventually I establish contact (Ian Finley). I also mailed nipc.watch@nipc.gov or whatever the email address on their page was. They didn't mail back ... no auto responder or nothing. ( I mailed the back weeks later and said I was shocked that I got no response and still got nothing back). I then called the NIPC hotline 3 times. The first 2 times I called I spoke to someone that should have been flopping whoppers "uhhhh a non-executable computer security what... let me send you to so and so's voicemail". Then I called back a week later and gave them the CERT vu numbers (after CERT finally responed). I left my cell phone number on someones voicemail again at NIPC... no one called me back.

I deeply regret the fact that one of my team members plagerized another and leaked some code but my god people WE TRYED to give SEVERAL people a heads up!

-KF