The following text is copyright 2002 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Good guys wearing black hats
By Scott Bradner
How frustrating! Just after I had sent last weeks rant against HP's stupid first reaction to being told about a security problem with their operating system (cite column) into my editor I left for a few days of relaxation in California. The next morning when I checked my email the story had broken that the U.S. cybersecurity czar was encouraging hackers to ferret out security vulnerabilities in commercial software. That sure would have been a good tagline for the column but it was just a few days too late. So I'll talk about it now instead.
It seems that Richard Clarke gave a keynote speech to the Black Hat (www.blackhat.com) security conference in Las Vegas, sponsored by 9 companies including most recognizably by PricewaterhouseCoopers, Nortel Networks and Microsoft. In that speech he blasted companies, particularly companies selling wireless networking equipment and ISPs offering broadband Internet access, for not providing meaningful security. Not coincidentally, the same day as the Black Hat conference story broke the U.S. Defense Department announced that it was going to prohibit the use of most wireless devices inside of military buildings in the near future. This will include cell phones, wireless hand held devices and wireless laptops. All because, to the closest approximation, there is no security on these devices. Gee, they are getting picky!
Clarke was also quoted as saying "Some of us, here in this room, have an obligation to find the vulnerabilities [in commercial software]." He did caution that the software vendors should be told about any vulnerabilities that were discovered rather than the information just being made public, so that the vendor would have the chance to put out a fix for the vulnerability before the bug becomes widely known. He also recognized that some vendors seem less than interested in fixing security problems and told the hackers that they should report the vulnerabilities to the government in that case. Clarke also suggested that new laws might be needed to protect hackers that act in good faith. He did not mention it, but one thing that might be needed is a "clarification" of the DMCA to prevent some other company more interested in protecting weak software than fixing it from using it as a stick to poke people in the eye with.
It is very good news that someone from this, or any government, actually understands that the best security happens when systems are tested. The alternative is to bet on the omniscience of programmers and the stupidity of the bad guys. This does not seem like a good bet when the economic health and security of this and other societies are the table stakes.
Now if there were only some real incentive for vendors to put out secure systems and to provide quick, well tested, and easy to install fixes when flaws are found. The cost of last year's Nimba virus was about $3 billion. Maybe if the vendor of the vulnerable software had to pay some of that cost it would make them actually wake up.
disclaimer: $3 billion would even make Harvard wake up but the University did not offer the above opinion, I did.