Information Security News mailing list archives
The Other Side Of The Story
From: William Knowles <wk () C4I ORG>
Date: Sat, 30 Sep 2000 04:11:54 -0500
http://www.zdnet.com/intweek/stories/columns/0,4164,2634819,00.html Post Date: September 28, 2000 Updated: September 29, 2000 By Lewis Z. Koch Special To Inter@ctive Week How to describe the famous - infamous to some - Mudge, aka Dr. Mudge? Today, his title is vice president for research & development at @Stake - an organization that describes its mission as "Securing the Internet Economy." In an earlier life, @Stake was the legendary hacking group known as L0pht. A celebrity at hacker conventions, Mudge has been profiled in The New York Times and is a member of the digerati crowd invited by President Bill Clinton to counsel the White House. Mudge, a slender man with hair far down on his shoulders, resembles an over-the-hill hippie. His speech is so rapid-fire that at times it becomes nearly incomprehensible, especially when he is talking about deep and arcane computer flaws. What he offers is a kind of anarchic genius vision coupled with real-world techniques for discovering dangerous flaws in widely used - and abused - software. If you want to visit that netherworld of hacking where offensive and defensive tactics blur, all you need do is hang with Mudge. A hacker's war college Mudge disagreed with security expert Marcus Ranum's call for consigning severe penalties to hackers who publish descriptions of security flaws that encourage break-ins. "I believe all of the large organizations out there should be engaged in their own war-college activities," he said. His reasoning? No software developer, he said, ever declared: "I'm going to rip this thing apart. I'm going to find a new attack or design one, and I'm going to develop threat models around it because it's the only way to understand how to prevent future attacks." "I think it was [Winston] Churchill who said 'The worst-case scenario should never come as a surprise,'" Mudge said. Tracking hackers is of little use, Mudge said. "If you set up a sting bulletin board system or sting Web site, you're just trying to suck off information and research that other people have already done. You're already behind the times." Instead, he advised, "What you need to be doing is figure out where these new attacks are coming from on your own - based on the technology, what weaknesses, what stress points are being introduced. Sometimes you will have to test and you will have to design tools for those tests. And some of those tools you will have created will be offensive, because that's why you created them." All this is necessary, he insisted, because it's "the only way you can actually buttress and buffer up your defenses beforehand." Mudge holds that it should not be the responsibility of the end user to find or develop patches for flawed software. That responsibility, he asserted, belongs with "AT&T, Microsoft, Nortel [Networks], Sun [Microsystems]." The developers - not some confused software user - should be the ones to address the problems. A developer's caveat emptor Ranum objects to openly publishing software flaws on the grounds that it more often acts like a how-to tract for hackers than an alert for security professionals and developers. Mudge disagreed. "We had an evolutionary life cycle over at the L0pht on how we released advisories," he recalled. "At the very beginning, we went directly to the vendors and nobody else. The vendors basically told us if their clients didn't know about it, we should shut the hell up because they're going to have to spend more money to fix it, and why should they do that since they're profitable?" Mudge said this kind of attitude "trained" L0pht and other hackers to believe that only ongoing public pressure and humiliation would or could compel companies to fix their buggy software. Today, he said, software consumers have become so cynical they "need third-party proof of concept" before they'll believe the software's been fixed, and the only way that will happen is through independent review. The software companies are where Swift and Armour were in 1906, when Upton Sinclair wrote his classic expos on the meatpacking industry, The Jungle - the consumer uses the product at his own risk. Analyst, anthropologist, attorney Michael Brian Scher is a network security and policy analyst, a lawyer and a doctoral student in anthropology at the University of Chicago, where he is completing his dissertation on "unauthorized access to computers where there is no apparent fiscal motivation." In short, he's researching noncriminal hackers. Scher, too, contends that Ranum has focused on the wrong target. And he agreed with Mudge that there ought to be some kind of independent "Underwriters Laboratories" to certify safe software. But the lawyer in him adds one more factor: The key to computer security, he believes, lies in areas of liability and insurance. Right now, software is a take-it-or-leave-it market. Thanks to Draconian licensing agreements - which, in many cases, the consumer automatically agrees to simply by opening the package - all liability rests on the user, none on the manufacturer. "I think we first ought to ask the software manufacturers to look at where these flaws and vulnerabilities are coming from," Scher said. "It's their own products, of course. Next, we should calculate the real fiscal loss in allowing these companies to utterly disclaim liability." Scher, who has overseen the purchase of hundreds of thousands of dollars' worth of computer security software, said manufacturers should indemnify consumers at least to some degree. But the response from the manufacturer, he said, is " 'Are you nuts?' Obviously, they don't trust their security enough to stand behind it." A smart company, Scher said, would say: " 'Absolutely! We will indemnify you up to, say, $40 million.' Then they'd turn around, buy insurance and pass that cost right on. The advantage to us is an umbrella from the insurers, who are reviewing this company and making sure they do things correctly. Meanwhile, the company has an interest in doing things correctly, because even though they won't wind up paying anything in liability costs, their rates will increase, and they'll have all kinds of negative public attention." It's certain that hackers and script kiddies aren't going to vanish in the foreseeable future. So we have a choice: jail them - assuming authorities can identify and convict them, which is unlikely - or fix the software. Which do you think makes sense? *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- The Other Side Of The Story William Knowles (Sep 30)