U.S. Computer Security Advisor Encourages Hackers 275
DarklordSatin writes: "According to this Associated Press article, which I was pointed to by the nice guys over at Ars Technica, Richard Clarke, Dubya's Computer Security Advisor, wants to encourage hackers to find security holes in software. Although he feels that the system only works when the hackers show 'good faith' and disclose the holes to the company before the public, he wants to start offering more legal protection to hackers and that is a very good step in the right direction." As the folks at Ars point out, though, "Naturally, Mr. Clark was using the original, more generalized, definition of "hacker", but I guess saying 'Bush Adviser Encourages Discovery of Software Bugs' just didn't have enough zing."
They will first encourage you (Score:2, Informative)
Re:Hackers (Score:4, Informative)
Re:so US security has a bit of a clue (Score:4, Informative)
Uhhh...yeah, isn't this what computer security professionals do *already* as part of the normal course of their everyday jobs? (If not, they *should*
Re:Probably won't last (Score:3, Informative)
To his credit though, he did explain the difference between the current perception of hackers as being evil lawbreakers and the original definition of the old MIT hackers. He did broaden it just a bit by saying that old hackers were anyone who was into computers...whatever that means.
Mailing address (Score:2, Informative)
Interresting fuel for the full-disclosure debate (Score:3, Informative)
Disclaimer: My personal side in the above-mentioned debate is already decided. I advocate responsible full disclosure. Tell the vendor first, but dont agree to any NDAs and always make it clear to the vendor that after a reasonable delay you go public with everything you've got relating to the hole.
Having proclaimed my bias, it was interesting to hear the guys own words on NPR this morning. On the positive side he correctly defined "hacker." On the negative side he clearly preferred a more restrictive disclosure policy that could be summarized as "Tell the vendor then shut the hell up and go away" When gently pressed he was prepared to allow notification of a "responsible" coordinating agency but he made very sure to never advocate anything so liberal as responsible full disclosure. I was busily making breakfast and coffee at the time so I might have missed an implication or two but these days the usual spin on "responsible" when linked to the word "agency" mean either government-sanctioned-&-corporate-owned or government-operated. Some security hackers find this a potentially scary thought.
Personally, I take responsibility for my own systems security. Based on the information I have I do my best to keep them buttoned down. Only in that way can I ethically place any blame on the persons that might try and crack them. (Of course I also know my limitations - if a true expert wants to smoke my systems I know they're gone. I'll be satisfied with keeping the worms and kiddies out whilst trusting that theres nothing on my own boxes that a true expert wants badly enough to put in the effort)
From this standpoint, anything other than responsible full disclosure denies me knowledge I need in order to make an informed decision about the risks I'm assuming. Similarly to do anything less myself, should I discover a security hole, is failing in my obligations to my colleagues.
To my mind he's advocating using the community as a source of free QA services whilst at the same time making sure that the vendors can get away with the old oxymoron of security through obscurity. Who'd bet against a government sponsored coordinating body being followed rapidly by laws prohibiting disclosure of holes other than through that body?
Contrary to his remarks on NPR this morning (Score:4, Informative)
I'd rate him above-average on the clue-o-meter (certainly as federal gov't employees go!) but he's not a friend to the hackers by any stretch.
No ACCIDENTAL WEAKNESSES (Score:3, Informative)
The thing is, network security weaknesses are rarely accidental. You can reliably predict the top five causes of security weaknesses:
Re:Just be sure not to give out your name... (Score:4, Informative)
The fellow was Brian West, who worked for an ISP, and he did a little more than just "discover" the security hole in the Poteau Daily News website. A link [nipc.gov] to more info..
NPR Stream (Score:2, Informative)
Their stream is here. [npr.org]
Good Lord, I've deep-linked to NPR.
Re:I heard this guy on NPR this morning... (Score:3, Informative)
If this message from Snosoft is any indication, I wouldn't have much confidence in reporting to the government either.
From: KF
To: full-disclosure@lists.netsys.com ; bugtraq@securityfocus.com ; recon@snosoft.com
Sent: Wednesday, July 31, 2002 7:42 PM
Subject: [Full-Disclosure] for the record... (Tru64 / Compaq)
http://www.msnbc.com/news/788216.asp?0dm=T14JT
Clarke cautioned that hackers should be responsible in reporting programming mistakes. A hacker should contact the software maker first, he said, then go to the government if the software maker does not respond soon.
--
For the record... we contacted HP(at the time Compaq), and CERT several times. I attached the original version of our su exploit (not the one that phased leaked) to NIPC and to CERT BOTH. We recieved an extremely long delay at CERT before they even responded. At that point I called CERT 2 times to see what the heck was going on and eventually I establish contact (Ian Finley). I also mailed nipc.watch@nipc.gov or whatever the email address on their page was. They didn't mail back
I deeply regret the fact that one of my team members plagerized another and leaked some code but my god people WE TRYED to give SEVERAL people a heads up!
-KF