U.S. Computer Security Advisor Encourages Hackers 275
DarklordSatin writes: "According to this Associated Press article, which I was pointed to by the nice guys over at Ars Technica, Richard Clarke, Dubya's Computer Security Advisor, wants to encourage hackers to find security holes in software. Although he feels that the system only works when the hackers show 'good faith' and disclose the holes to the company before the public, he wants to start offering more legal protection to hackers and that is a very good step in the right direction." As the folks at Ars point out, though, "Naturally, Mr. Clark was using the original, more generalized, definition of "hacker", but I guess saying 'Bush Adviser Encourages Discovery of Software Bugs' just didn't have enough zing."
Too Late (Score:2, Interesting)
so US security has a bit of a clue (Score:5, Interesting)
Now I hope that a USA Citizen tells them that they are encouraging something that is outlawed by the DMCA.
Of course, if you go out and actually do this... (Score:5, Interesting)
These days, with "corporate fraud" being the buzzword d'jeur, one could make a very strong argument that the DMCA encourages corporate fraud because it allows companies to sweep their product defects under the carpet.
Just be sure not to give out your name... (Score:3, Interesting)
Ethics (Score:4, Interesting)
I wonder how long the "hacker" should give the company. And is the government really the next best step? I work for the government and I seriously doubt that will get the ball rolling.
The obvious problem with full disclosure, of course, is making malicious hackers and even terrorists aware of the problem. Solutions anyone?
Re:Hackers (Score:3, Interesting)
The difference with homes is that everyone knows what they are, what they're for and the most common routes of security breakage.
When we got a security system installed at my current place, I slinked around and tried to get around without being seen by the motion detectors. Eventually I found a way to get from the back door to my computer without triggering a single motion detector. This resulted in us having them moved around.
Computers, in contract, are big nebulous boxes and most people don't know much about how they work or how to secure them. This is why they should be treated differently than homes with respect to how the security is tested.
Run to Uncle Sam? (Score:4, Interesting)
A more interesting quote is in this CNN article. [cnn.com]
Umm, really? To whom in the government? The Department of Fixing Stuff? The FBI? The FTC? The DoJ? Gosh, that'll keep (e.g.) Microsoft on their toes. Bwahahahaha!
Precedent would suggest that a more likely result will be the jailing of the hacker, and the awarding of a fat contract to the vendor.
Thanks all the same, but this is just some guy in a suit. When it's written up in law by Congress, signed by G.W.Bush, and delivered to the Library of Congress by flying pig courier, I might change my mind.
Re:Probably won't last (Score:1, Interesting)
--m
INTERVIEW THIS GUY (Score:5, Interesting)
HP (Score:2, Interesting)
Regardless of the fact that it wasn't actually SnoSoft that officially published the exploit, even if they had, Clarke is basically saying that they went about things in pretty much the most appropriate manner.
Rehash of NPR's Morning Edition Interview (Score:5, Interesting)
So let me see where this puts us. Phred Programmer discoveres a buffer overflow that crashes IE. He tells his security professional about his discovery. Our "security professional" says "what's a buffer overflow?" and the whole thing falls on the floor.
Wait, let's try this again. Phred Programmer discovers a buffer overflow problem that crashes IE. He puts on his "security professional" hat and calls Microsoft. Microsoft says "So what? It crashes. BFD. We'll fix it on the next major release."
Phred Programmer waits until the next major release and the mess is still there. Remember, he's not supposed to write code to demonstrate this problem, or the potential harm, so Microsoft has no idea whether they've really fixed this problem.
So Phred Programmer calls the feds. They respond with "Huh? What's the big deal?" "Well, you could exploit this and hack with full administrator priviliges", says Phred Programmer. "Sounds far-fetched" say the feds. "But just in case you're right, I don't want you writing any code. Why don't you post your notions with Microsoft?" "But I already have and they promised a fix by the next major release", complains Phred Programmer.
"Hmm. We'll have to take it up with them."
And so, another major release goes by and still nothing. Meanwhile, somebody else figures out the breeched security and because the don't live in the US, they post a script for the kiddies to use.
Back to the present: Somebody explain to me why this scenario is not likely. Restricting this information to "security professionals" seems to me like an effort to sweep security problems under the rug.
Richard Clark's ideas suck, IMNSHO. He clearly has no concept of how bugs are discovered, demonstrated, and how the repair of those bugs is prioritized by software companies. Does anyone here really think Microsoft would have fixed those buffer overflow problems if no-one had written an exploit and published it? Does anyone here think that users in other countries will have any respect for stupid US policy (never mind the law)? Sheesh.
Re:INTERVIEW THIS GUY (Score:4, Interesting)
This is a good idea. A natural extension to this would be to invite other goverment figures, such as Justice Department officials or members of Congress. People who have an interest in federal or international technology policies might appreciate the open, yet moderated, forum of Slashdot. This could be an example of the U.S. goverment at its best.
This could be an easier way for people to "write their Congressmen", since there really is a lower courage threshold when posting to Slashdot (yes, writing Congressmen isn't trivial for many people, even though it should be).