Cerf Disses Bush's Patch Plan

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/conflict/0,2100,49095,00.html

Associated Press 
3:05 p.m. Dec. 12, 2001 PST  

WASHINGTON -- One of the Internet's founders said Wednesday there were
important weaknesses in the Bush administration's plans to build an
ultra-secure government network and to encourage companies to make
computers safer for consumers.

Vinton G. Cerf, widely recognized as a "father of the Internet" for
co-inventing one of its communications technologies, warned against a
White House proposal to have software companies automatically repair
their products whenever new vulnerabilities were discovered.

Last week, the president's top computer security adviser complained to
some technology executives that consumers and businesses routinely
fail to install software fixes known as "patches" even as vendors make
them freely available. Richard Clarke said it was "not beyond the wit
of this industry to force patches down" to users.
 
"Some people have suggested we push out patches a lot more," Cerf told
technology executives and government officials at a conference
Wednesday. "It's an attractive idea, but I don't know how we go about
making it work."

Some of the Internet's most-damaging attacks, including those from the
virus-like Code Red and Nimda programs, exploited flaws in software
from Microsoft that had been discovered weeks or months earlier.  
Although only computers where users did not install the patches were
attacked, resulting congestion affected parts of the Internet more
broadly.

Cerf, senior vice president of Internet architecture and technology at
WorldCom, said software vendors could not be expected to develop
patches that can be installed safely across the array of the world's
network configurations. Others also have warned that a vendor's poorly
written patch could disrupt a company's operations unless it were
tested extensively to be sure it was compatible with all the company's
other software.

"There are interesting questions about doing it automatically," said
Cerf, who spoke at a computer-security conference organized by the
Information Technology Association of America and Computer Sciences
Corp.

Cerf said software companies need to do a better job ensuring their
products are secure and cannot be used as weapons to attack others
electronically on the Internet. "The people who build the software
don't seem to be paying attention to how these things can be abused,"  
Cerf said.

Cerf expressed caution about another proposal endorsed by the White
House to build an ultra-secure, private computer network for
government agencies and their key partners, called "Govnet."

Clarke proposed the idea a year ago at a security conference at
Microsoft's headquarters, then formally announced the project eight
weeks ago.

Unlike traditional U.S. computer networks, Govnet would be physically
separate from the Internet with no way to exchange e-mails or files
with outsiders to maintain security and protect it from hackers,
viruses and other online threats.

Cerf noted that networks are most useful, though admittedly more
vulnerable, when they are connected to other public networks of
computers. Cerf predicted that Govnet users would be tempted to
illegally connect laptops or other computers for their convenience, or
would transfer information on floppy disks between Govnet and public
computers.

Although some U.S. classified computer networks are physically
separate from the Internet and other public networks, viruses and
other malicious software is occasionally discovered on them.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.