The Other Side Of The Story

[William Knowles <wk () C4I ORG>]

http://www.zdnet.com/intweek/stories/columns/0,4164,2634819,00.html

Post Date: September 28, 2000
Updated: September 29, 2000

By Lewis Z. Koch Special To Inter@ctive Week

How to describe the famous - infamous to some - Mudge, aka Dr. Mudge?
Today, his title is vice president for research & development at
@Stake - an organization that describes its mission as "Securing the
Internet Economy." In an earlier life, @Stake was the legendary
hacking group known as L0pht.

A celebrity at hacker conventions, Mudge has been profiled in The New
York Times and is a member of the digerati crowd invited by President
Bill Clinton to counsel the White House.

Mudge, a slender man with hair far down on his shoulders, resembles an
over-the-hill hippie. His speech is so rapid-fire that at times it
becomes nearly incomprehensible, especially when he is talking about
deep and arcane computer flaws. What he offers is a kind of anarchic
genius vision coupled with real-world techniques for discovering
dangerous flaws in widely used - and abused - software.

If you want to visit that netherworld of hacking where offensive and
defensive tactics blur, all you need do is hang with Mudge.

A hacker's war college

Mudge disagreed with security expert Marcus Ranum's call for
consigning severe penalties to hackers who publish descriptions of
security flaws that encourage break-ins. "I believe all of the large
organizations out there should be engaged in their own war-college
activities," he said. His reasoning? No software developer, he said,
ever declared: "I'm going to rip this thing apart. I'm going to find a
new attack or design one, and I'm going to develop threat models
around it because it's the only way to understand how to prevent
future attacks."

"I think it was [Winston] Churchill who said 'The worst-case scenario
should never come as a surprise,'" Mudge said.

Tracking hackers is of little use, Mudge said. "If you set up a sting
bulletin board system or sting Web site, you're just trying to suck
off information and research that other people have already done.
You're already behind the times."

Instead, he advised, "What you need to be doing is figure out where
these new attacks are coming from on your own - based on the
technology, what weaknesses, what stress points are being introduced.
Sometimes you will have to test and you will have to design tools for
those tests. And some of those tools you will have created will be
offensive, because that's why you created them." All this is
necessary, he insisted, because it's "the only way you can actually
buttress and buffer up your defenses beforehand."

Mudge holds that it should not be the responsibility of the end user
to find or develop patches for flawed software. That responsibility,
he asserted, belongs with "AT&T, Microsoft, Nortel [Networks], Sun
[Microsystems]." The developers - not some confused software user -
should be the ones to address the problems.

A developer's caveat emptor

Ranum objects to openly publishing software flaws on the grounds that
it more often acts like a how-to tract for hackers than an alert for
security professionals and developers. Mudge disagreed. "We had an
evolutionary life cycle over at the L0pht on how we released
advisories," he recalled. "At the very beginning, we went directly to
the vendors and nobody else. The vendors basically told us if their
clients didn't know about it, we should shut the hell up because
they're going to have to spend more money to fix it, and why should
they do that since they're profitable?"

Mudge said this kind of attitude "trained" L0pht and other hackers to
believe that only ongoing public pressure and humiliation would or
could compel companies to fix their buggy software.

Today, he said, software consumers have become so cynical they "need
third-party proof of concept" before they'll believe the software's
been fixed, and the only way that will happen is through independent
review. The software companies are where Swift and Armour were in
1906, when Upton Sinclair wrote his classic expos on the meatpacking
industry, The Jungle - the consumer uses the product at his own risk.

Analyst, anthropologist, attorney

Michael Brian Scher is a network security and policy analyst, a lawyer
and a doctoral student in anthropology at the University of Chicago,
where he is completing his dissertation on "unauthorized access to
computers where there is no apparent fiscal motivation." In short,
he's researching noncriminal hackers.

Scher, too, contends that Ranum has focused on the wrong target. And
he agreed with Mudge that there ought to be some kind of independent
"Underwriters Laboratories" to certify safe software.

But the lawyer in him adds one more factor: The key to computer
security, he believes, lies in areas of liability and insurance. Right
now, software is a take-it-or-leave-it market. Thanks to Draconian
licensing agreements - which, in many cases, the consumer
automatically agrees to simply by opening the package - all liability
rests on the user, none on the manufacturer.

"I think we first ought to ask the software manufacturers to look at
where these flaws and vulnerabilities are coming from," Scher said.
"It's their own products, of course. Next, we should calculate the
real fiscal loss in allowing these companies to utterly disclaim
liability."

Scher, who has overseen the purchase of hundreds of thousands of
dollars' worth of computer security software, said manufacturers
should indemnify consumers at least to some degree.

But the response from the manufacturer, he said, is " 'Are you nuts?'
Obviously, they don't trust their security enough to stand behind it."

A smart company, Scher said, would say:

" 'Absolutely! We will indemnify you up to, say, $40 million.' Then
they'd turn around, buy insurance and pass that cost right on. The
advantage to us is an umbrella from the insurers, who are reviewing
this company and making sure they do things correctly. Meanwhile, the
company has an interest in doing things correctly, because even though
they won't wind up paying anything in liability costs, their rates
will increase, and they'll have all kinds of negative public
attention."

It's certain that hackers and script kiddies aren't going to vanish in
the foreseeable future. So we have a choice: jail them - assuming
authorities can identify and convict them, which is unlikely - or fix
the software. Which do you think makes sense?


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".