U.S. Computer Security Advisor Encourages Hackers

DarklordSatin writes: "According to this Associated Press article, which I was pointed to by the nice guys over at Ars Technica, Richard Clarke, Dubya's Computer Security Advisor, wants to encourage hackers to find security holes in software. Although he feels that the system only works when the hackers show 'good faith' and disclose the holes to the company before the public, he wants to start offering more legal protection to hackers and that is a very good step in the right direction." As the folks at Ars point out, though, "Naturally, Mr. Clark was using the original, more generalized, definition of "hacker", but I guess saying 'Bush Adviser Encourages Discovery of Software Bugs' just didn't have enough zing."

Too Late

[ShishCoBob]

It's a little too late for these. We already have a number of people in jail for finding software bugs and releasing the details without doing any damage... And isn't there a law already against this exact thing here?

so US security has a bit of a clue

[Jucius Maximus]

They recognise that 'hacking' is a good way of helping to secure systems, which is good.

Now I hope that a USA Citizen tells them that they are encouraging something that is outlawed by the DMCA.

Of course, if you go out and actually do this...

[Rude Turnip]

There's a pretty good chance you'll get sued/fined/imprisoned due to the DMCA. Of course, the advisor did say that some legal protection for hackers should be in place to prevent such a mess.

These days, with "corporate fraud" being the buzzword d'jeur, one could make a very strong argument that the DMCA encourages corporate fraud because it allows companies to sweep their product defects under the carpet.

Just be sure not to give out your name...

[iritant]

There was the incident of the fellow who discovered that the New York Times was left wide open by FrontPage. So he called to tell them, and was promptly arrested. I wonder if Mr. Clarke thinks that's fair.

Ethics

[YanceyAI]

This is an interesting ethical question. Clarke said the hackers should be responsible about reporting the programming mistakes. A hacker should contact the software maker first, he said, then go to the government if the software maker doesn't respond soon. The philosophy is good in theory, but often large companies ignore problems to avoid the press and/or expense of fixing the security hole.

I wonder how long the "hacker" should give the company. And is the government really the next best step? I work for the government and I seriously doubt that will get the ball rolling.

The obvious problem with full disclosure, of course, is making malicious hackers and even terrorists aware of the problem. Solutions anyone?

Re:Hackers

[Jucius Maximus]

"I suppose next they'll be suggesting that thieves be allowed to break into my house, just to see if it is secure."

The difference with homes is that everyone knows what they are, what they're for and the most common routes of security breakage.

When we got a security system installed at my current place, I slinked around and tried to get around without being seen by the motion detectors. Eventually I found a way to get from the back door to my computer without triggering a single motion detector. This resulted in us having them moved around.

Computers, in contract, are big nebulous boxes and most people don't know much about how they work or how to secure them. This is why they should be treated differently than homes with respect to how the security is tested.

Run to Uncle Sam?

[Rogerborg]

A more interesting quote is in this CNN article. [cnn.com]

• "A hacker should contact the software maker first, he said, then go to the government if the software maker does not respond soon."

Umm, really? To whom in the government? The Department of Fixing Stuff? The FBI? The FTC? The DoJ? Gosh, that'll keep (e.g.) Microsoft on their toes. Bwahahahaha!

Precedent would suggest that a more likely result will be the jailing of the hacker, and the awarding of a fat contract to the vendor.

Thanks all the same, but this is just some guy in a suit. When it's written up in law by Congress, signed by G.W.Bush, and delivered to the Library of Congress by flying pig courier, I might change my mind.

Re:Probably won't last

[Anonymous Coward]

who said anything about joe sixpack being concerned? how about dubya, the "i am not a stock picker"? i think we should worry about getting dubya in on the meaning before joe.

--m

INTERVIEW THIS GUY

[geekoid]

we need to get Richard Clarke to do a slashdot interview. I think this would be an enormous opportunity for the slashdot readers to find out what someone high up thinks about the dmca and its effects to the community. It will also give Richard Clarke the opportunity to here the concerns right from the community instead of from corp. reps.

HP

[Osiris Ani]

In the wake of the recent HP debacle [slashdot.org], I'd have to say that this is very interesting.

Regardless of the fact that it wasn't actually SnoSoft that officially published the exploit, even if they had, Clarke is basically saying that they went about things in pretty much the most appropriate manner.

Rehash of NPR's Morning Edition Interview

[AB3A]

I heard this interview this morning. What he said was not encouraging. He wants "security professionals" to do the hacking --not programmers or kids down the street. He wants them to reveal the exploit without offering code demonstrating it, and he wants to keep it all secret. He made no mention of any time limits before one should give up and go public with this information.

So let me see where this puts us. Phred Programmer discoveres a buffer overflow that crashes IE. He tells his security professional about his discovery. Our "security professional" says "what's a buffer overflow?" and the whole thing falls on the floor.

Wait, let's try this again. Phred Programmer discovers a buffer overflow problem that crashes IE. He puts on his "security professional" hat and calls Microsoft. Microsoft says "So what? It crashes. BFD. We'll fix it on the next major release."

Phred Programmer waits until the next major release and the mess is still there. Remember, he's not supposed to write code to demonstrate this problem, or the potential harm, so Microsoft has no idea whether they've really fixed this problem.

So Phred Programmer calls the feds. They respond with "Huh? What's the big deal?" "Well, you could exploit this and hack with full administrator priviliges", says Phred Programmer. "Sounds far-fetched" say the feds. "But just in case you're right, I don't want you writing any code. Why don't you post your notions with Microsoft?" "But I already have and they promised a fix by the next major release", complains Phred Programmer.

"Hmm. We'll have to take it up with them."

And so, another major release goes by and still nothing. Meanwhile, somebody else figures out the breeched security and because the don't live in the US, they post a script for the kiddies to use.

Back to the present: Somebody explain to me why this scenario is not likely. Restricting this information to "security professionals" seems to me like an effort to sweep security problems under the rug.

Richard Clark's ideas suck, IMNSHO. He clearly has no concept of how bugs are discovered, demonstrated, and how the repair of those bugs is prioritized by software companies. Does anyone here really think Microsoft would have fixed those buffer overflow problems if no-one had written an exploit and published it? Does anyone here think that users in other countries will have any respect for stupid US policy (never mind the law)? Sheesh.

Re:INTERVIEW THIS GUY

[pmz]

we need to get Richard Clarke to do a slashdot interview.

This is a good idea. A natural extension to this would be to invite other goverment figures, such as Justice Department officials or members of Congress. People who have an interest in federal or international technology policies might appreciate the open, yet moderated, forum of Slashdot. This could be an example of the U.S. goverment at its best.

This could be an easier way for people to "write their Congressmen", since there really is a lower courage threshold when posting to Slashdot (yes, writing Congressmen isn't trivial for many people, even though it should be).