Silence the best security policy

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2608077,00.html

By Robert Lemos, ZDNN
July 26, 2000 3:58 PM PT

LAS VEGAS -- Should security holes be hushed up?

Long controversial, the policy of disclosing software vulnerabilities
to the public was subject to open attack in a Wednesday keynote at the
Black Hat Security Conference.

Marcus Ranum, chief technology officer for intrusion detection
software maker Network Flight Recorder Inc., used hard language to say
that security can't be improved unless "gray hat" hackers stop
disclosing security holes to the public and stop creating tools for
so-called "script kiddies" to exploit the holes.

"Full disclosure is creating armies and armies of script kiddies,"
said Ranum, who called the creators of hacking tools "weapons dealers"
who aren't really concerned with security.

"Distributing these tools is not helping," he said.

The problem with tools Hacking tools have caused much of the chaos on
the Internet in recent years.

The February denial-of-service attacks against eight major Internet
sites -- among them Yahoo! Inc., eBay Inc. and ZDNet Inc. -- used
tools created by a gray-hat hacker in Germany known as Mixter.

The Melissa virus and the ILOVEYOU worm plagiarized much of their
innards from other viruses that came before. And Web vandals tend to
use only a handful of exploits to compromise vulnerable sites just
enough to post digital graffiti.

"We are creating hordes and hordes of script kiddies," Ranum said.
"They are like cockroaches. There are so many script kiddies attacking
our networks that it's hard to find the real serious attackers"
because of all the chaotic noise.

'It's a social problem' The main problem is that hacking has become,
to some degree, socially acceptable. "Every single conference out
there that is supposed to be teaching the network community about
security is at the same time pandering to the hacking community,"
Ranum said.

"It is not a technical problem," he added. "It's a social problem. We
need to come down hard and fast on these people."

Moreover, in the burgeoning security software industry, poking holes
in a rival's product is good business, Ranum said.

Media coverage of a company's seemingly tech-savvy ability to find
security holes can be a boon, while showing weaknesses in other's
products can be equally lucrative.

"A lot of the vulnerabilities that are being disclosed are researched
for the sole purpose of disclosing them," he said. "Someone who
releases a harmful program through a press release has a different
agenda than to help you."

A large portion of security experts go home and write tools at night
for script kiddies.

Hacking to become terrorism? That's set to change, Ranum said.

Over the next few years, society's tolerance of hackers will lessen
once hacking is regarded as "non-ideological terrorism," he said. As
home users increasingly find themselves the target of hackers, there
will be less and less patience with break-ins.

"In the next five years, we are going to move to a counterterrorism
model," he said. "It will turn into a witch hunt unless we stop the
script kiddies today."

Ranum's message to the creators of tools: "Why don't you do something
useful."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".