Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

U.S. Computer Security Advisor Encourages Hackers

timothy posted about 12 years ago | from the grain-of-salt-to-choke-a-volcano dept.

Security 275

DarklordSatin writes: "According to this Associated Press article, which I was pointed to by the nice guys over at Ars Technica, Richard Clarke, Dubya's Computer Security Advisor, wants to encourage hackers to find security holes in software. Although he feels that the system only works when the hackers show 'good faith' and disclose the holes to the company before the public, he wants to start offering more legal protection to hackers and that is a very good step in the right direction." As the folks at Ars point out, though, "Naturally, Mr. Clark was using the original, more generalized, definition of "hacker", but I guess saying 'Bush Adviser Encourages Discovery of Software Bugs' just didn't have enough zing."

cancel ×

275 comments

Sorry! There are no comments related to the filter you selected.

I encourage (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#3992564)

first posts!! openbsd is still owned.

I encourage (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#3992758)

masturbation!! slap it till it's dead!

Left hand, meet right hand... (3, Funny)

FortKnox (169099) | about 12 years ago | (#3992565)

If only the left hand knew what the right hand was doing...

Re:Left hand, meet right hand... (0)

Anonymous Coward | about 12 years ago | (#3992592)

Would you rather have a government where all the parts acted as one? Where the govt isn't made up of people, but of parts of a machine, led by just one or a few people? Sounds totalitarian to me.

Re:Left hand, meet right hand... (0)

Anonymous Coward | about 12 years ago | (#3992670)

I think he means, he wishes this part of the government would be looked at for DMCA and other shit. Man, you are totally clueless, ain'tcha?

Re:Left hand, meet right hand... (1)

jeffy124 (453342) | about 12 years ago | (#3992632)

the left hand will soon know. Chances are good someone congresscritter is gonna hear this story and instantly think "he's promoting computer crime and break-ins!?" and try to get more info. Net result: They see things from our angle better than they did before.

Re:Left hand, meet right hand... (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#3992673)

Both hands are wanking, but the people they are wanking is different.

Re:Left hand, meet right hand... (3, Funny)

ceejayoz (567949) | about 12 years ago | (#3992726)

You don't want to know what the right hand is doing... ;-)

Re:Left hand, meet right hand... (1)

shepd (155729) | about 12 years ago | (#3992759)

Q: What's the sound of one hand clapping?

A: The half of the US gov't cheering for Richard Clarke.

Re:Left hand, meet right hand... (0)

Anonymous Coward | about 12 years ago | (#3992867)

Do you have over 1000 [slashdot.org] comments? Why Not?

This [slashdot.org] is why. Editors insult those that participate too much.

maybe? (0)

Anonymous Coward | about 12 years ago | (#3992568)

maybe not

In related news (2, Funny)

tetrode (32267) | about 12 years ago | (#3992574)

The government encourages People to go to work.

Probably won't last (3, Insightful)

MxTxL (307166) | about 12 years ago | (#3992581)

If something like this made it anywhere near being a policy decision, when the popular press got ahold of it, it would not last very long. Joe Sixpack doesn't know much about computers, but he knows the word 'hacker' and he knows that it's mapped to the word 'bad'. So when anyone suggests letting (hackers=>bad people) near our critical computers (which all computers are...) then Joe goes on the warpath and gets it struck down.

Re:Probably won't last (3, Informative)

Darkstar9969 (516815) | about 12 years ago | (#3992674)

..Actually I heard him interviewed on NPR this morning. His whole story was that ONLY computer security professionals should engage in this type of "hacking". For everyone else no attempt should be made to reverse engineer or post exploits to the world. He did stop short of adding the popular closing "or the terrorists win" but really he was pushing M$'s security-through-obscurity line over and over again.

To his credit though, he did explain the difference between the current perception of hackers as being evil lawbreakers and the original definition of the old MIT hackers. He did broaden it just a bit by saying that old hackers were anyone who was into computers...whatever that means.

Re:Probably won't last (1)

Mitchell Mebane (594797) | about 12 years ago | (#3992675)

Joe Sixpack doesn't know much about computers, but he knows the word 'hacker' and he knows that it's mapped to the word 'bad'. So when anyone suggests letting (hackers=>bad people) near our critical computers (which all computers are...) then Joe goes on the warpath and gets it struck down.

The article would have done good to differentiate between 'hacker' and 'cracker', for those of us who aren't geeks.

Sopranos (1)

Dephex Twin (416238) | about 12 years ago | (#3992730)

I rented some of the Sopranos DVDs, and in one of the episodes of the second season, they specifically clarified the meaning so that it was wrong.

One of the mobsters was talking about computer break-ins to do illegal activities and said something like "what do you call those guys... crackers?" and another mobster corrected him: "hackers."

Anybody else notice this?

This is the info Joe Sixpack gets.

mark

Re:Probably won't last (1, Interesting)

Anonymous Coward | about 12 years ago | (#3992845)

who said anything about joe sixpack being concerned? how about dubya, the "i am not a stock picker"? i think we should worry about getting dubya in on the meaning before joe.

--m

Re:Probably won't last (-1)

Anonymous Coward | about 12 years ago | (#3992863)

Joe Sixpack also doesn't really give a shit about what Congress does, other than to complain about with buddies at work, or the bar.

break programs? (5, Funny)

stray (73778) | about 12 years ago | (#3992582)

From the article: A presidential advisor encouraged the nation's top computer security professionals and hackers Wednesday to try to break computer programs, but said they might need protection from the legal wrath of software makers.

... and there I was, thinking that most computer programs were broken to begin with. How about encouraging computer professionals to *fix* programs?

Re:break programs? (2, Insightful)

SpatchMonkey (300000) | about 12 years ago | (#3992626)

Because the script kiddies they refer to don't have the skills to fix anything. Like the vandals who daub graffiti on historic monuments, these people know nothing of constructing something useful or interesting or artistic. They just want to destroy.

Re:break programs? (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#3992790)

Kick ass user # dude.

Friend or Foe (2, Insightful)

errittus (13200) | about 12 years ago | (#3992584)

After going after these people for exploiting bugs in software for the wrong reasons, maybe this will lead to some gainful employment for a few ladies/fellows.

Re:Friend or Foe (3, Insightful)

Jucius Maximus (229128) | about 12 years ago | (#3992629)

"Clarke said the hackers should be responsible about reporting the programming mistakes. A hacker should contact the software maker first, he said, then go to the government if the software maker doesn't respond soon."

I suggest that a US citizen send them a fax or two about Hewlett Packard [slashdot.org] .

Hackers (1)

SpatchMonkey (300000) | about 12 years ago | (#3992585)

I suppose next they'll be suggesting that thieves be allowed to break into my house, just to see if it is secure.

This is a slippery slippery slope, folks.

If hackers break into my systems, I want them prosecuted like another type of criminal!

Re:Hackers (0)

Anonymous Coward | about 12 years ago | (#3992635)

But see even if we were talking about your house and not your systems - you leaving the door open or a key under the mat makes it a rather different crime than them taking it down with a sherman or something...

Maybe you should spend more time securing your systems and less bitching..

Re:Hackers (not a slippery slope at all) (4, Insightful)

MarvinMouse (323641) | about 12 years ago | (#3992638)

I think what he meant was people who try to break their own systems to find bugs in them. Not the people who mindlessly hack into other peoples web pages and change them because they have no time.

He means responsible hackers who just find the problems and notify the company. Not hack into banks or your computer.

It is perfectly legal for someone to try to defeat their own home security system. While it is not legal for them to break someone elses (unless requested.)

Not a very slippery slope at all if you look closer. All he wants is for people who discover or uncover problems on their own little systems or labs to be allowed to tell the companies. Or even just let these people find the problems on their own. As well, he wants to legislate it a bit more, so while they can notify the companies, they won't be able to release to the public exact details on how to break in.

Just like, if I discovered that my security system on my car was easily breakable. I could tell the company, and let my friends know there is a problem. But I cannot publish a detailed paper explaining how to unlock doors with a screwdriver and some patience.

Re:Hackers (0)

Anonymous Coward | about 12 years ago | (#3992639)

I believe that the article says that the government will support "research institutions", not just any ol' hacker working from a damp cave.

Re:Hackers (4, Informative)

MagPulse (316) | about 12 years ago | (#3992641)

This is more like an architect taking a model of your house, finding the weaknesses, and telling the manufacturer about it so they can fix your house before someone malicious takes advantage of it.

Re:Hackers (0)

Anonymous Coward | about 12 years ago | (#3992655)

Try prosecuting a hacker in Lithuania who broke through a trail of systems around the world, connecting through a chain of machines to break into yours. In fact, just try to track the person down. Saying "well let's just throw them into prison" is a bit like saying "Mommmmyyy, Marcy stole two cookies from the cookie jar. I sawed her I did!"

Re:Hackers (3, Interesting)

Jucius Maximus (229128) | about 12 years ago | (#3992679)

"I suppose next they'll be suggesting that thieves be allowed to break into my house, just to see if it is secure."

The difference with homes is that everyone knows what they are, what they're for and the most common routes of security breakage.

When we got a security system installed at my current place, I slinked around and tried to get around without being seen by the motion detectors. Eventually I found a way to get from the back door to my computer without triggering a single motion detector. This resulted in us having them moved around.

Computers, in contract, are big nebulous boxes and most people don't know much about how they work or how to secure them. This is why they should be treated differently than homes with respect to how the security is tested.

Re:Hackers (1)

mr_z_beeblebrox (591077) | about 12 years ago | (#3992697)

I suppose next they'll be suggesting that thieves be allowed to break into my house, just to see if it is secure.

While gaining access to a system is one way to discover software flaws, I doubt that is what they are trying to encourage. They want honest to goodness evaluation NOT of your PC but of critical software packages. Right now if I use MY Linux box to find a flaw and subsequently verify an exploit of it on MY NT server. If I tell anyone MS can sue me. That is the kind of behavior they are trying to protect.

Re:Hackers (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#3992716)

AMEN!!

Re:Hackers (2)

Dephex Twin (416238) | about 12 years ago | (#3992787)

This is a slippery slippery slope, folks.
It's nice that you went to the trouble to point out the specific logical fallacy [wikipedia.com] of your statement.

mark

Re:Hackers (2)

liquidsin (398151) | about 12 years ago | (#3992816)

He doesn't encourage cracking into other peoples systems, only testing the security of software. This can be done on local machines. Big difference. If I pick the lock on my own front door, is that breaking in?

Re:Hackers (-1, Offtopic)

SoSueMe (263478) | about 12 years ago | (#3992837)

Nice Troll.

Obviously you followed the First Rule of Posting:
Read ONLY the Headline, then post the first moronic thing you can think of.

Too Late (2, Interesting)

ShishCoBob (516335) | about 12 years ago | (#3992586)

It's a little too late for these. We already have a number of people in jail for finding software bugs and releasing the details without doing any damage... And isn't there a law already against this exact thing here?

May work, may not (1)

Hacker'sEdict (593458) | about 12 years ago | (#3992587)

But IMHO Hacker's aren't going to play the nice guys and report the bugs they are going to exploit the bugs and either not tell the company about all of the bugs or not tell the company about any of the bugs that is what they do. Do you think that they will stop just for you?

Re:May work, may not (1)

mr_z_beeblebrox (591077) | about 12 years ago | (#3992747)

But IMHO Hacker's aren't going to play the nice guys and report the bugs they are going to exploit the bugs and either not tell the company about all of the bugs or not tell the company about any of the bugs that is what they do.

Why do you think that you get all those patch releases from MS? Do you think that they conscientously find all those bugs? Hell, even Apache, OpenSSH etc...they all depend on 'hackers' finding and reporting bugs. Have you ever found a bug? Did you report it? If not, you are just as bad as what you are trying to say hackers in general are.

Re:May work, may not (0)

Anonymous Coward | about 12 years ago | (#3992814)

how is it different from now

atleast with this legit hackers can continue with faith in them.

people will still use the security holes discovered to do illegal things, just as they do now.

but atleast the responsible people will continue to be appropriate and have some backing also.

Nice... (0)

fudgefactor7 (581449) | about 12 years ago | (#3992589)

Now that we have this story, I wonder if he'll back down from the "we'll help you" part? Good Faith being what it is, I don't have much faith in the government to do the right thing in this case...I bet white-hats still end up with the shaft.

only terrorists search for holes (-1)

Anonymous Coward | about 12 years ago | (#3992595)

Isn't it better for the economy if we make it illegal to search for holes? Because then companies will produce more software faster and cheaper.

Re:only terrorists search for holes (1)

mr_z_beeblebrox (591077) | about 12 years ago | (#3992773)

Isn't it better for the economy if we make it illegal to search for holes? Because then companies will produce more software faster and cheaper.

Good point!!! I bet that Audi is looking for ways to send suicide drivers out and crash into drivers when they do crash tests. You would really be more comfortable if quality control were illegal?

More surprising... (3, Funny)

Maran (151221) | about 12 years ago | (#3992596)

Which is more surprising: Government representative supports hackers, or Government representative uses correct meaning of "Hacker".

Maran

Disclosing to company vs public (3, Insightful)

Winterblink (575267) | about 12 years ago | (#3992597)

At least if you post it to the public you're assured that the company's not just going to push the reported exploit under the rug and ignore it, or "quietly" patch it in a later version to bypass the bad press.

Being publicly accountable makes a company more diligent with security and bug testing. The only downside to public announcements is that every hacker out there now knows about it. The upside to THAT is that the company now has a hell of a lot of incentive to patch the hole in a prompt manner. Just my 2c!

Re:Disclosing to company vs public (2)

ceejayoz (567949) | about 12 years ago | (#3992746)

Disclose it to the company, then if they ignore that, post it publicly. That way the good companies get to fix things quick and be applauded, whilst the baddies get embarrassed even more by "we sent this to them a month ago but they blew us off" comments.

Re:Disclosing to company vs public (1)

Winterblink (575267) | about 12 years ago | (#3992806)

Well the article states that the finder is asked to inform the company and then the government, and NOT to post it publicy.

I'm curious if you have any recourse or protection if the company has you arrested before you can go to the government with the bug. :)

Re:Disclosing to company vs public (1)

EvilBudMan (588716) | about 12 years ago | (#3992752)

Maybe a deadline would solve that problem. Give the said company 10 days to fix problem after which the hole becomes public.

so US security has a bit of a clue (5, Interesting)

Jucius Maximus (229128) | about 12 years ago | (#3992598)

They recognise that 'hacking' is a good way of helping to secure systems, which is good.

Now I hope that a USA Citizen tells them that they are encouraging something that is outlawed by the DMCA.

Re:so US security has a bit of a clue (2)

2MuchC0ffeeMan (201987) | about 12 years ago | (#3992628)

hah, so true, they want DMCA laws for corporations to make money, but want no DMCA laws when the corporations don't do their job right.

Re:so US security has a bit of a clue (4, Informative)

Surak (18578) | about 12 years ago | (#3992657)

I listened to an interview with Richard Clarke this morning on NPR. He basically said that he *knows* that this is outlawed by the DMCA (and other laws against hacking) and suggested that computer professionals try to break only to their own systems, so as to avoid legal wrath.

Uhhh...yeah, isn't this what computer security professionals do *already* as part of the normal course of their everyday jobs? (If not, they *should* :-P)

Right hand doesn't know what the left is doing (3)

rhizome (115711) | about 12 years ago | (#3992704)

I listened to an interview with Richard Clarke this morning on NPR. He basically said that he *knows* that this is outlawed by the DMCA (and other laws against hacking) and suggested that computer professionals try to break only to their own systems, so as to avoid legal wrath.

Except that HP is threatening the DMCA against the group who (notified and) publicized the Tru64 vulnerability. AFAIK, this vulnerability was found by their examination of their own systems.

"Computer Security Professionals" (1)

bpfinn (557273) | about 12 years ago | (#3992792)

I heard the NPR interview this morning as well. I believe he also said that only "Computer Security Professionals" should hunt for security flaws, and regular folks should not. I have no idea how you differentiate yourself as a "Computer Security Professional". Maybe you will have to register yourself with the government to get immunity from DMCA prosecutions. :(

Re:so US security has a bit of a clue (1)

jeffy124 (453342) | about 12 years ago | (#3992671)

well, look at where the guy came from. Before working for Bush, he worked for Microsoft. Not in product development, but rather the guy in charge of their own LAN, "securing Ft Redmond's internals" as one guy put once. Basically, he's got the experience necessary to make informed statements like he's making now. Before now, he probably couldn't make them because he worked for MS.

Ah, that explains it (2, Funny)

Anonymous Coward | about 12 years ago | (#3992601)

No wonder a Trojaned version of OpenSSH was put on OpenBSD's FTP server. They were acting on Presidential recommendation!

cnn link (2)

2MuchC0ffeeMan (201987) | about 12 years ago | (#3992603)

Cnn Story:
Linky Linky [cnn.com]

it's said WE have to be the world's debuggers

Re:cnn link (0)

Anonymous Coward | about 12 years ago | (#3992723)

You mean Quality Control don't you (or CNN)? Testing, QA/QV/QC, whatever. Debugging would be the act of cleaning up bugs.

Of course, if you go out and actually do this... (5, Interesting)

Rude Turnip (49495) | about 12 years ago | (#3992605)

There's a pretty good chance you'll get sued/fined/imprisoned due to the DMCA. Of course, the advisor did say that some legal protection for hackers should be in place to prevent such a mess.

These days, with "corporate fraud" being the buzzword d'jeur, one could make a very strong argument that the DMCA encourages corporate fraud because it allows companies to sweep their product defects under the carpet.

Re:Of course, if you go out and actually do this.. (1)

gerf (532474) | about 12 years ago | (#3992719)

True, there is some protection from the DMCA. BUT, it also says that when a security flaw is found, to first contact the business, and if the business does not respond in enough time, the government. He is not flying in the face of the DMCA, because he does not encourage sharing of information with other programmers (who might make a virus, hack stuff, are assumed to be 'evil,' blah blah blah)

Editors love Hackers except when they hack them (0)

Anonymous Coward | about 12 years ago | (#3992610)

Gotta love how Slashdot cheers the hackers on and laud them for finding holes and bugs, but they're not quite as charitable when they turn their skillz on them.

When slashdot gets hacked, the editors are steamed at the "trolls", who are regarded as exclusively destructive, instead of being grateful that exploits are being tested. In fact, the trolls are the only ones brave enough to wade into the cesspool that is slashcode to help make it a better site.

.

Re:Editors love Hackers except when they hack them (1)

mr_z_beeblebrox (591077) | about 12 years ago | (#3992807)

In fact, the trolls are the only ones brave enough to wade into the cesspool that is slashcode to help make it a better site.

Huhh!!!!!
Someone hacking and defacing a website is not helpful. Code auditing and reporting of errors is but not vandalism.

Just be sure not to give out your name... (3, Interesting)

iritant (156271) | about 12 years ago | (#3992616)

There was the incident of the fellow who discovered that the New York Times was left wide open by FrontPage. So he called to tell them, and was promptly arrested. I wonder if Mr. Clarke thinks that's fair.

Re:Just be sure not to give out your name... (2)

mosch (204) | about 12 years ago | (#3992833)

I know exactly the story you're talking about, and it wasn't the New York Times, it wasn't FrontPage, and he didn't get arrested. I tried to find the real details, so I could cite the source, but slashdot's search engine didn't cooperate.

The real issue is the notcha (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#3992624)


This does not address the notcha factor. What is the notcha? The notcha is the area "in between" - notcha nuts, but notcha asshole either. The notcha.

They will first encourage you (2, Informative)

PrimeNumber (136578) | about 12 years ago | (#3992630)

then put you in jail for DMCA violations.

Re:They will first encourage you (0)

Anonymous Coward | about 12 years ago | (#3992785)

I don't read /. anymore to be informed. I read it to laugh my ass off, in fact I'm chuckling as I write this. All this sensationalist MPAA, RIAA, DMCA talk is easily the funniest thing going on the web right now. It's completely and utterly hilarious the levels that some people can take their pointless causes to. Without exaggerating too much, I'm positive a large percentage of you are convinced your hacking and mass producing of bootleg software and music is somehow constitutionally protected and that anyone who makes a product you might desire and then charges more than you want to pay is a tyrant and a criminal. You wannabe anarchists are so gung-ho about all these bullshit ideals, convinced someone in power out there gives two shits about what you're doing. All this biased /. propoganda is so pathetic it makes bial rise up in my throat. I sincerely suggest the lot of you find something that is honestly worth fighting for. A criminal is a criminal, and all the laughable, quasi-freedom fighter ideals in the world won't change that.

Re:They will first encourage you (1)

EvilBudMan (588716) | about 12 years ago | (#3992843)

Yes, this an old trick. Back in the day, ther was this big party where everyone was drinking. The hosts made the mistake of not having food at this party so therefore they were serving alchohol with out a liscense. So, the cops raided this place and told everyone to get in their car and leave. We'll the ones that did got arrested for DUI. So this sounds just like a trick to find out who the hackers are and crack down.

P.S.
doesn't \. have a spell check?

In Other News (2, Funny)

Apocalypse111 (597674) | about 12 years ago | (#3992642)

A top Bush-administration official, in a tie in with Richard Clarke's press release on hackers today gave his support to the Cult of the Dead Cow, a hacker group responsible for creating the juvenile-hacking utility known as "Back Orifice" or simply B.O. Whether this official's support is a tie in with the Bush administration's fundamentalist leanings is unknown. CotDC representatives were quoted as saying, "5w33t! 7h1s r0x0rs! w3 w1ll 0wnz j00 4ll n0w! ph34r u5!" President Bush was unavailable for comment.

Careful this is a trap! (1)

jsonmez (544764) | about 12 years ago | (#3992652)

What an elaborate trap, he makes some big speech about this, all the hackers come out of their hiding places and publish security holes and BAMMO they are all put behind bars because of DMCA violations. Then he says "oops."

Ethics (4, Interesting)

YanceyAI (192279) | about 12 years ago | (#3992653)

This is an interesting ethical question. Clarke said the hackers should be responsible about reporting the programming mistakes. A hacker should contact the software maker first, he said, then go to the government if the software maker doesn't respond soon. The philosophy is good in theory, but often large companies ignore problems to avoid the press and/or expense of fixing the security hole.

I wonder how long the "hacker" should give the company. And is the government really the next best step? I work for the government and I seriously doubt that will get the ball rolling.

The obvious problem with full disclosure, of course, is making malicious hackers and even terrorists aware of the problem. Solutions anyone?

Re:Ethics (2)

Mr_Silver (213637) | about 12 years ago | (#3992729)

I wonder how long the "hacker" should give the company. And is the government really the next best step? I work for the government and I seriously doubt that will get the ball rolling.

Well Microsoft and others having been pushing their "reasonable disclosure" requests and that states 30 days.

Which i think is fair enough.

Let them know. If they haven't released a fix within that time then fully disclose it.

Yes, people will argue that as soon as it's found out, others may be using it so it would be better to know all the details immediately.

However the likelyhood of someone finding the problem and writing a worm or something that exploits it is substantially less when they don't have all the gory details laid out for them in a nice document. Which is the major downside to full disclosure.

Re:Ethics (2)

BlowCat (216402) | about 12 years ago | (#3992780)

Well, obviously, if the government cannot influence the company within a reasonable timeframe, then the vulnerability should be disclosed.

If I wasn't living in the United States, perhaps I would try this tactic at least once to give the US government benefit of doubt. If they fail, then no need to try it again. If they actually force the company to make the patch, it may be a good thing.

Shouldn't we report the su exploit in Tru64 to the US government now? Like "a company in your country is making unsafe software and refuses to fix it, please consider if you still want to buy their software for the government and the military".

Re:Ethics (3, Insightful)

Restil (31903) | about 12 years ago | (#3992798)

Good point. I can't really see what the Government can do anyway. There's no law that says you have to write secure software. There's just laws regarding disclosure of bugs/holes. Some software companies will be genuinely concerned about the security of their software and will respond promptly. Others weigh it against other bottom line concerns and will wait until a convienent time to address the problem (next major software release).

The government can't do much more than tell the company what they already know. I suppose the government could stop using such software, but beyond the operating systems and generic office applictions, I doubt the government makes a widespread use of any other commodity software packages. All the government can really do is make an announcement about the problem, and the "hacker" can probably do the same thing, more efficiently, and in a way that more effectively reaches those that need to know about it.

-Restil

Re:Ethics (1)

Neumann (240442) | about 12 years ago | (#3992818)

I think the whole idea is to give the company all the time thats needed. You let the company know and then (maybe) the Gov't and NO ONE ELSE. I understand that this is just embracing security through obscurity, but that seems to be the only way you can find security exploits and not go to jail for doing it.

Re:Ethics (2)

Irvu (248207) | about 12 years ago | (#3992844)

I'm not sure that there is one. So long as a bug exists malicious people can find it and exploit it. Keeping it a secret won't help because anyone who really wants to cause damage is also going to go looking for holes. The only people who wait for abug to be made public before exploiting it are the lazy kiddies, people who want to cause damage but don't have the inclination and the energy to find exploits themselves. While this latter group can cause damage, it is the former (the "real" crackers) that I am worried about.

IMHO bugs should be made public, even in a private company's software. Because, it isn't really "theirs" and theirs alone. I depend upon the OpenSSH and SSL systems as well as my Windows box to keep my data secure. So do many many other people. If there is a hole then it puts my credit card numbers, medical info, me in danger. At that point it is a public problem, and a private company should not be permitted to "just hide it" any more than Ford/Firestone should be able to just hide the dangers of their products.

IMHO you should give the developer a "sufficient time" (depending upon the size of the bug, number of developers, etc.) to fix it. If they don't make any reasonable attempts then yeah, make it public. If there is a danger to the rest of us from the truly malicious then we ough't to know about it. Yes it will unleash a torrent of script kiddies, but when you compare that against a sea of quiet thefts or, got knows what else perpetuated by the truly determinedly vicious.

I'd be suppeised if you couldn't argue this under existing whistleblower laws.

Re:Ethics (0, Offtopic)

Irvu (248207) | about 12 years ago | (#3992861)

supprised not suppeised (whoops!)

judgemental (3, Insightful)

skydude_20 (307538) | about 12 years ago | (#3992662)

system only works when the hackers show 'good faith'

who gets to decide what a hacker did was in 'good faith'? These proposed laws mixed with the DMCA should make the credibiliy of the system less than it is currently treading at...

Run to Uncle Sam? (4, Interesting)

Rogerborg (306625) | about 12 years ago | (#3992686)

A more interesting quote is in this CNN article. [cnn.com]

  • "A hacker should contact the software maker first, he said, then go to the government if the software maker does not respond soon."

Umm, really? To whom in the government? The Department of Fixing Stuff? The FBI? The FTC? The DoJ? Gosh, that'll keep (e.g.) Microsoft on their toes. Bwahahahaha!

Precedent would suggest that a more likely result will be the jailing of the hacker, and the awarding of a fat contract to the vendor.

Thanks all the same, but this is just some guy in a suit. When it's written up in law by Congress, signed by G.W.Bush, and delivered to the Library of Congress by flying pig courier, I might change my mind.

Re:Run to Uncle Sam? (2)

JThaddeus (531998) | about 12 years ago | (#3992770)

Isn't there another member of Dubya's computer security staff that is a former Microsoft senior executive? One can imagine two scenarios:

(1) that fellow is messing his pants and wants Mr. Clarke canned for pushing hacking, or

(2) Mr. Clarke was put up to this as a way of getting free security labor for Microsoft while restricting press leaks about their software.

And whom would you be required to contact in the case of Open Source?

His Definition of Hackers. (2, Insightful)

Anonymous Coward | about 12 years ago | (#3992690)

I heard him on the radio this morning.

He encouraged hackers who are also "professionals" to look for bugs like this, and then report the bugs to the government and the software maker. There was no policy about what happens when both moribund entities laugh and sit on it.

Nor did he want the hoi-poli hackers out there looking for software bugs. He was explicit about this: Only Security Professionals Need Apply.

Allow me to take this moment to reassure that he is as disconnected from things as you could ever imagine. This is just the same crud in a new can. He will happily prosecute you if you do something to make the world better and don't wear a suit / this is not your "job" by his lights.

So don't take it too much to heart... he really didn't mean you regular people, folks.

ok, this is a serious post (-1)

TheBahxMan (249147) | about 12 years ago | (#3992692)

I don't think that he's referring to the average hacker, but more to programs at universities like New Mexico Tech's ICASA [nmt.edu] .

Too bad that it's in Socorro.

Richard Clarke? (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#3992709)

Is this the same Richard Clarke that's making up claims that hackers should not be allowed due process?

The same Richard Clarke with no technical background but is making claims that our power grids can be shutdown via the internet?

The same Richard Clarke that claimed that a 16 year old kid with a laptop and 14.4K modem can cause as much damage as the Sept. 11 disaster?

The same Richard Clarke that will distribute software to you, the american people, to check and make sure your computer is safe from terrorists?

Richard Clarke is a fear mongering spaz whose similarities to former Senator McCarthy are almost cloned...

Oh yeah, he also wants all americans who are programmers to register with the government...

I can't wait till this fear monger's time is over.

WarTalking Arrest? (1)

B3ryllium (571199) | about 12 years ago | (#3992712)

But I thought that in the US you would get arrested and charged for showing that systems had vulnerabilities? I mean, that WarTalking case doesn't exactly inspire the White-Hat Hackers to continue in their good deeds, does it?

Another comment from me (1)

Winterblink (575267) | about 12 years ago | (#3992715)

Just a second comment from me on this, based on a quote in the story:

"If there are legal protections they don't have that they need, we need to look at that," he said.

Maybe it would be a better idea to create those protections before stepping up to the podium and announcing a call to arms to people around the world to find bugs and report them.

This is Consistent (1, Flamebait)

blair1q (305137) | about 12 years ago | (#3992734)

This is consistent with the Administration's policy of having crooks act as policemen.

Ted Olsen.
Harvey Pitt.
John Ashcroft.

No need to remind you that this regime lost the popular vote in 2000, and recounts determined that without the Supreme Court's intervention they would have lost Florida and the electoral vote as well.

--Blair

Re:This is Consistent (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#3992803)

Get over it already !!!

Re:This is Consistent (2)

William Tanksley (1752) | about 12 years ago | (#3992836)

No need to remind you that ... recounts determined that without the Supreme Court's intervention they would have lost Florida and the electoral vote as well.

Remind me, please -- cite your source. Everything I've read (in mainline newspapers, Union-Tribune and North County Times) indicated that all the recounts indicated the opposite. That's why there was no big media splash; no change is no news.

-Billy

Or maybe it's... (1, Offtopic)

eyepeepackets (33477) | about 12 years ago | (#3992743)

Richarrd Clarke saying, "I have a cunning plan!"

Re:Or maybe it's... (2)

handorf (29768) | about 12 years ago | (#3992850)

Do I hear the words "I have a cunning plan" marching this way will ill deserved favor?

NPR Interview this morning ... (3, Insightful)

ayden (126539) | about 12 years ago | (#3992761)

I heard the NPR Morning Edition interview [npr.org] with Richard Clarke this morning. Yes, Clarke encourages "hackers" to take find security holes, but be responsible: after discovering the security hole, notify the government and the manufacturer, but DO NOT tell the world. Clarke argues that he wants the software manufacturer to have time to develop a patch before announcing the vulnerability.

Clarke also said he wants "Computer Security Specialists" to hack and not the people doing it for fun. This ambiguity is the problem: how do you define "Computer Security Specialist"? Most of everything I learned about IT came through hacking for fun. Now I'm employed as a "Computer Security Specialist."

DMCA weaking on the way? (1)

jordan_a (139457) | about 12 years ago | (#3992768)

"If there are legal protections they don't have that they need, we need to look at that," he said.
The first step in this would obviously to add an exception to the DMCA stating that the circumvention of security measures in a product is legal if done for research purposes.
Take this to your representative!

Mailing address (2, Informative)

tww-china (171273) | about 12 years ago | (#3992801)

Anyone have the mailing address of the President's Critical Infrastructure Protection Board (PCIPB)? Their home page is http://www.whitehouse.gov/pcipb/ but there's no address and the email address for feedback, feedback@who.eop.gov, doesn't work.

heard the report on the radio (1)

f00zbll (526151) | about 12 years ago | (#3992809)

I feel it is a positive step, but the administration needs to be more clear about what exactly they mean. Talk is cheap. When I see some legislation that improves/encourages/balances the research/report/fix/disclosure of bugs I'll smile. Until then, I'll take the perspective of hope for the best and expect the worst.

Big business owns the government, so getting tough laws passed to measureably improve software security is a very tough task. The key here is measurable. Not some bs statistics that politicians can throw around. I want results.

NPR Article (0, Offtopic)

ctmacgyver1 (542094) | about 12 years ago | (#3992811)

There is an interesting NPR interview of Richard Clarke Here [npr.org] regarding his comments.

Listen to exactly what he says.

He is not encouraging reverse engineering products to find their security weaknesses. He is only encouraging those who accidently find weaknesses to responsibly report them.

Cheers

Can't have it both ways (1)

Ride-My-Rocket (96935) | about 12 years ago | (#3992841)

So now that the government (or maybe just this one particular individual) is realizing that their software isn't that secure, they want "hackers" to come foward and help them out? This, despite the fact that the DMCA subjectively outlaws this, and with the whole Tru64 thing fresh in one's mind?

If they want help, they have to make sure those who try and help out are protected by the law. You can't have it both ways.

Why does the government have to encourage hackers? (1)

marcelkiel (564382) | about 12 years ago | (#3992853)

I don't understand why the government has to encorage experienced programmers to find security holes - the software companies should do that. They can hire experts under a contract which gives both sides the necessary legal protection.

Customers can choose the products they believe to be secure enough for their use, for example ones that have been explicitly reviewed by hackers. And if they don't find a commercial product which isn't secure enough, they can switch to open source software, which has been reviewed by experienced hackers since it exists.

INTERVIEW THIS GUY (5, Interesting)

geekoid (135745) | about 12 years ago | (#3992854)

we need to get Richard Clarke to do a slashdot interview. I think this would be an enormous opportunity for the slashdot readers to find out what someone high up thinks about the dmca and its effects to the community. It will also give Richard Clarke the opportunity to here the concerns right from the community instead of from corp. reps.

Interresting fuel for the full-disclosure debate (3, Informative)

davebooth (101350) | about 12 years ago | (#3992860)

Disclaimer: My personal side in the above-mentioned debate is already decided. I advocate responsible full disclosure. Tell the vendor first, but dont agree to any NDAs and always make it clear to the vendor that after a reasonable delay you go public with everything you've got relating to the hole.

Having proclaimed my bias, it was interesting to hear the guys own words on NPR this morning. On the positive side he correctly defined "hacker." On the negative side he clearly preferred a more restrictive disclosure policy that could be summarized as "Tell the vendor then shut the hell up and go away" When gently pressed he was prepared to allow notification of a "responsible" coordinating agency but he made very sure to never advocate anything so liberal as responsible full disclosure. I was busily making breakfast and coffee at the time so I might have missed an implication or two but these days the usual spin on "responsible" when linked to the word "agency" mean either government-sanctioned-&-corporate-owned or government-operated. Some security hackers find this a potentially scary thought.

Personally, I take responsibility for my own systems security. Based on the information I have I do my best to keep them buttoned down. Only in that way can I ethically place any blame on the persons that might try and crack them. (Of course I also know my limitations - if a true expert wants to smoke my systems I know they're gone. I'll be satisfied with keeping the worms and kiddies out whilst trusting that theres nothing on my own boxes that a true expert wants badly enough to put in the effort)

From this standpoint, anything other than responsible full disclosure denies me knowledge I need in order to make an informed decision about the risks I'm assuming. Similarly to do anything less myself, should I discover a security hole, is failing in my obligations to my colleagues.

To my mind he's advocating using the community as a source of free QA services whilst at the same time making sure that the vendors can get away with the old oxymoron of security through obscurity. Who'd bet against a government sponsored coordinating body being followed rapidly by laws prohibiting disclosure of holes other than through that body?

Open Source (0)

Anonymous Coward | about 12 years ago | (#3992870)

Why can't they make these resolutions Open Source? There's a vast number of Open Source developers who can contribute to that cabinet.

Only by harnessing the power of the Open Source developer community can we attain those goals.

HP (2, Interesting)

Osiris Ani (230116) | about 12 years ago | (#3992879)

In the wake of the recent HP debacle [slashdot.org] , I'd have to say that this is very interesting.

Regardless of the fact that it wasn't actually SnoSoft that officially published the exploit, even if they had, Clarke is basically saying that they went about things in pretty much the most appropriate manner.

DMCA not their realm (1)

dollargonzo (519030) | about 12 years ago | (#3992885)

sure, harmless hacking and reporting of this sort violates the DMCA; sure, they say they want legal protection for the people that help them; and sure, they will probably try to do something if you get arrested in the process of reporting a bug. if they succeed in helping you, they will claim triumph. if not, they dont really care because systems that they rely on might get bugs fixed, and there are plenty of people in reserve, even if u eliminate a few. i don't think that the advisor's reputation would be at all affected if some DMCA lawsuit ensues.

QED
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>