|
U.S. Computer Security Advisor Encourages Hackers
|
Log in/Create an Account
| Top
| 251 comments
|
Search Discussion
|
|
|
|
The Fine Print:
The following comments are owned by whoever posted them.
We are not responsible for them in any way.
|
|
(1)
|
2
(Slashdot Overload: CommentLimit 50)
|
Left hand, meet right hand... (Score:3, Funny)
by FortKnox on Thursday August 01, @11:49AM (#3992565)
(User #169099 Info | http://www.marotti.com/ | Last Journal: Thursday August 01, @09:41AM)
|
|
If only the left hand knew what the right hand was doing...
|
|
[ Reply to This
| Parent
]
|
|
|
- Re:Left hand, meet right hand... by jeffy124 (Score:1) Thursday August 01, @11:57AM
- Re:Left hand, meet right hand... by shepd (Score:1) Thursday August 01, @12:15PM
- No, "Welcome to the Great Golden Age of Hacking!" by Interrobang (Score:2) Thursday August 01, @12:34PM
- I heard this guy on NPR this morning... by emil (Score:2) Thursday August 01, @01:40PM
- Re:Left hand, meet right hand... by lcsjk (Score:1) Thursday August 01, @01:42PM
- Re:Left hand, meet right hand... by homer_ca (Score:1) Thursday August 01, @01:47PM
- 3 replies
beneath your current threshold.
|
In related news (Score:2, Funny)
by tetrode on Thursday August 01, @11:50AM (#3992574)
(User #32267 Info | http://www.tetrode.org/)
|
The government encourages People to go to work.
|
|
[ Reply to This
| Parent
]
|
|
|
Probably won't last (Score:3, Insightful)
by MxTxL (mlutter&cfl,rr,com) on Thursday August 01, @11:52AM (#3992581)
(User #307166 Info | http://www.kitestop.com/)
|
|
If something like this made it anywhere near being a policy decision, when the popular press got ahold of it, it would not last very long. Joe Sixpack doesn't know much about computers, but he knows the word 'hacker' and he knows that it's mapped to the word 'bad'. So when anyone suggests letting (hackers=>bad people) near our critical computers (which all computers are...) then Joe goes on the warpath and gets it struck down.
|
|
[ Reply to This
| Parent
]
|
|
|
|
break programs? (Score:5, Funny)
by stray (info@stray.ch) on Thursday August 01, @11:52AM (#3992582)
(User #73778 Info | http://strayland.com)
|
|
From the article:
A presidential advisor encouraged the nation's top computer security professionals and hackers Wednesday to try to break computer programs, but said they might need protection from the legal wrath of software makers.
... and there I was, thinking that most computer programs were broken to begin with. How about encouraging computer professionals to *fix* programs?
|
|
[ Reply to This
| Parent
]
|
|
|
|
Friend or Foe (Score:2, Insightful)
by errittus on Thursday August 01, @11:52AM (#3992584)
(User #13200 Info | http://www.ethernaut.net/)
|
|
After going after these people for exploiting bugs in software for the wrong reasons, maybe this will lead to some gainful employment for a few ladies/fellows.
|
|
[ Reply to This
| Parent
]
|
|
|
|
Hackers (Score:1)
by SpatchMonkey on Thursday August 01, @11:52AM (#3992585)
(User #300000 Info | Last Journal: Tuesday July 16, @02:40PM)
|
I suppose next they'll be suggesting that thieves be allowed to break into my house, just to see if it is secure.
This is a slippery slippery slope, folks.
If hackers break into my systems, I want them prosecuted like another type of criminal!
|
|
[ Reply to This
| Parent
]
|
|
|
Re:Hackers (not a slippery slope at all) (Score:4, Insightful)
by MarvinMouse on Thursday August 01, @11:58AM (#3992638)
(User #323641 Info | Last Journal: Wednesday July 24, @01:39PM)
|
I think what he meant was people who try to break their own systems to find bugs in them. Not the people who mindlessly hack into other peoples web pages and change them because they have no time.
He means responsible hackers who just find the problems and notify the company. Not hack into banks or your computer.
It is perfectly legal for someone to try to defeat their own home security system. While it is not legal for them to break someone elses (unless requested.)
Not a very slippery slope at all if you look closer. All he wants is for people who discover or uncover problems on their own little systems or labs to be allowed to tell the companies. Or even just let these people find the problems on their own. As well, he wants to legislate it a bit more, so while they can notify the companies, they won't be able to release to the public exact details on how to break in.
Just like, if I discovered that my security system on my car was easily breakable. I could tell the company, and let my friends know there is a problem. But I cannot publish a detailed paper explaining how to unlock doors with a screwdriver and some patience.
|
|
[ Reply to This
| Parent
]
|
|
|
Re:Hackers (Score:4, Informative)
by MagPulse on Thursday August 01, @11:58AM (#3992641)
(User #316 Info)
|
|
This is more like an architect taking a model of your house, finding the weaknesses, and telling the manufacturer about it so they can fix your house before someone malicious takes advantage of it.
|
|
[ Reply to This
| Parent
]
|
|
| - Re:Hackers by Jucius Maximus (Score:3) Thursday August 01, @12:03PM
- Re:Hackers by WEFUNK (Score:2) Thursday August 01, @01:27PM
- Re:Hackers by mr_z_beeblebrox (Score:1) Thursday August 01, @12:06PM
- Re:Hackers by Dephex Twin (Score:2) Thursday August 01, @12:17PM
- Re:Hackers by finkployd (Score:1) Thursday August 01, @12:47PM
- lamo by Dephex Twin (Score:1) Thursday August 01, @01:05PM
- Re:lamo by finkployd (Score:1) Thursday August 01, @02:03PM
- Re:lamo by Dephex Twin (Score:1) Thursday August 01, @02:20PM
- 1 reply
beneath your current threshold.
- Re:Hackers by liquidsin (Score:2) Thursday August 01, @12:21PM
- Re:Hackers by charon_on_acheron (Score:1) Thursday August 01, @03:26PM
- 6 replies
beneath your current threshold.
|
Too Late (Score:2, Interesting)
by ShishCoBob (shishcobob@shishc[ ]b.com ['obo' in gap]) on Thursday August 01, @11:52AM (#3992586)
(User #516335 Info | http://www.maximum-cars.com/)
|
|
It's a little too late for these. We already have a number of people in jail for finding software bugs and releasing the details without doing any damage... And isn't there a law already against this exact thing here?
|
|
[ Reply to This
| Parent
]
|
|
|
- 1 reply
beneath your current threshold.
|
May work, may not (Score:1)
by Hacker'sEdict on Thursday August 01, @11:52AM (#3992587)
(User #593458 Info)
|
|
But IMHO Hacker's aren't going to play the nice guys and report the bugs they are going to exploit the bugs and either not tell the company about all of the bugs or not tell the company about any of the bugs that is what they do. Do you think that they will stop just for you?
|
|
[ Reply to This
| Parent
]
|
|
|
|
More surprising... (Score:3, Funny)
by Maran on Thursday August 01, @11:53AM (#3992596)
(User #151221 Info | http://www.geocities.com/markleya)
|
Which is more surprising: Government representative supports hackers, or Government representative uses correct meaning of "Hacker".
Maran
|
|
[ Reply to This
| Parent
]
|
|
|
Disclosing to company vs public (Score:3, Insightful)
by Winterblink on Thursday August 01, @11:53AM (#3992597)
(User #575267 Info | http://winterblink.com/)
|
|
At least if you post it to the public you're assured that the company's not just going to push the reported exploit under the rug and ignore it, or "quietly" patch it in a later version to bypass the bad press. Being publicly accountable makes a company more diligent with security and bug testing. The only downside to public announcements is that every hacker out there now knows about it. The upside to THAT is that the company now has a hell of a lot of incentive to patch the hole in a prompt manner.
Just my 2c!
|
|
[ Reply to This
| Parent
]
|
|
|
|
so US security has a bit of a clue (Score:5, Interesting)
by Jucius Maximus (j13moh@netscape.net) on Thursday August 01, @11:53AM (#3992598)
(User #229128 Info | http://slashdot.org/ | Last Journal: Thursday July 18, @10:43AM)
|
|
They recognise that 'hacking' is a good way of helping to secure systems, which is good. Now I hope that a USA Citizen tells them that they are encouraging something that is outlawed by the DMCA.
|
|
[ Reply to This
| Parent
]
|
|
|
- Re:so US security has a bit of a clue by 2MuchC0ffeeMan (Score:2) Thursday August 01, @11:56AM
Re:so US security has a bit of a clue (Score:4, Informative)
by Surak (`gro.hcetkrad.odexut' `ta' `karus') on Thursday August 01, @12:00PM (#3992657)
(User #18578 Info | http://tuxedo.darktech.org/)
|
I listened to an interview with Richard Clarke this morning on NPR. He basically said that he *knows* that this is outlawed by the DMCA (and other laws against hacking) and suggested that computer professionals try to break only to their own systems, so as to avoid legal wrath.
Uhhh...yeah, isn't this what computer security professionals do *already* as part of the normal course of their everyday jobs? (If not, they *should* :-P)
|
|
[ Reply to This
| Parent
]
|
|
| - Re:so US security has a bit of a clue by jeffy124 (Score:1) Thursday August 01, @12:02PM
- Re:so US security has a bit of a clue by Erasmus Darwin (Score:2) Thursday August 01, @01:51PM
- What is that adage? by cachorro (Score:1) Thursday August 01, @02:22PM
- Re:so US security has a bit of a clue by b1tsh1ft0r (Score:1) Thursday August 01, @04:41PM
|
Ah, that explains it (Score:2, Funny)
by Anonymous Coward on Thursday August 01, @11:53AM (#3992601)
|
|
No wonder a Trojaned version of OpenSSH was put on OpenBSD's FTP server. They were acting on Presidential recommendation!
|
|
[ Reply to This
| Parent
]
|
|
|
cnn link (Score:2)
by 2MuchC0ffeeMan on Thursday August 01, @11:53AM (#3992603)
(User #201987 Info | http://i.love.spam.mail.com/)
|
Cnn Story:
Linky Linky [cnn.com]
it's said WE have to be the world's debuggers
|
|
[ Reply to This
| Parent
]
|
|
|
- 1 reply
beneath your current threshold.
|
Of course, if you go out and actually do this... (Score:5, Interesting)
by Rude Turnip (rudeturnip@valBOYSENdot.org minus berry) on Thursday August 01, @11:53AM (#3992605)
(User #49495 Info | http://valdot.org/)
|
There's a pretty good chance you'll get sued/fined/imprisoned due to the DMCA. Of course, the advisor did say that some legal protection for hackers should be in place to prevent such a mess.
These days, with "corporate fraud" being the buzzword d'jeur, one could make a very strong argument that the DMCA encourages corporate fraud because it allows companies to sweep their product defects under the carpet.
|
|
[ Reply to This
| Parent
]
|
|
|
|
Just be sure not to give out your name... (Score:3, Interesting)
by iritant ({lear} {at} {ofcourseimright.com}) on Thursday August 01, @11:55AM (#3992616)
(User #156271 Info | http://www.ofcourseimright.com/)
|
There was the incident of the fellow who discovered that the New York Times was left wide open by FrontPage. So he called to tell them, and was promptly arrested. I wonder if Mr. Clarke thinks that's fair.
|
|
[ Reply to This
| Parent
]
|
|
|
|
They will first encourage you (Score:2, Informative)
by PrimeNumber on Thursday August 01, @11:56AM (#3992630)
(User #136578 Info | http://slashdot.org/)
|
|
then put you in jail for DMCA violations.
|
|
[ Reply to This
| Parent
]
|
|
|
|
In Other News (Score:2, Funny)
by Apocalypse111 on Thursday August 01, @11:59AM (#3992642)
(User #597674 Info)
|
|
A top Bush-administration official, in a tie in with Richard Clarke's press release on hackers today gave his support to the Cult of the Dead Cow, a hacker group responsible for creating the juvenile-hacking utility known as "Back Orifice" or simply B.O. Whether this official's support is a tie in with the Bush administration's fundamentalist leanings is unknown. CotDC representatives were quoted as saying, "5w33t! 7h1s r0x0rs! w3 w1ll 0wnz j00 4ll n0w! ph34r u5!"
President Bush was unavailable for comment.
|
|
[ Reply to This
| Parent
]
|
|
|
Careful this is a trap! (Score:1)
by jsonmez on Thursday August 01, @11:59AM (#3992652)
(User #544764 Info)
|
|
What an elaborate trap, he makes some big speech about this, all the hackers come out of their hiding places and publish security holes and BAMMO they are all put behind bars because of DMCA violations. Then he says "oops."
|
|
[ Reply to This
| Parent
]
|
|
|
Ethics (Score:4, Interesting)
by YanceyAI (yanceyai@yahoo.com) on Thursday August 01, @12:00PM (#3992653)
(User #192279 Info)
|
|
This is an interesting ethical question. Clarke said the hackers should be responsible about reporting the programming mistakes. A hacker should contact the software maker first, he said, then go to the government if the software maker doesn't respond soon. The philosophy is good in theory, but often large companies ignore problems to avoid the press and/or expense of fixing the security hole. I wonder how long the "hacker" should give the company. And is the government really the next best step? I work for the government and I seriously doubt that will get the ball rolling. The obvious problem with full disclosure, of course, is making malicious hackers and even terrorists aware of the problem. Solutions anyone?
|
|
[ Reply to This
| Parent
]
|
|
|
- Re:Ethics by Mr_Silver (Score:2) Thursday August 01, @12:11PM
- Re:Ethics by BlowCat (Score:2) Thursday August 01, @12:16PM
- Re:Ethics by Ig0r (Score:2) Thursday August 01, @06:24PM
- Re:Ethics by Restil (Score:3) Thursday August 01, @12:19PM
- Re:Ethics by Rupert (Score:1) Thursday August 01, @01:56PM
- 1 reply
beneath your current threshold.
- Re:Ethics by Neumann (Score:1) Thursday August 01, @12:21PM
- Re:Ethics by Irvu (Score:2) Thursday August 01, @12:25PM
- 1 reply
beneath your current threshold.
- Re:Ethics by jeffy124 (Score:1) Thursday August 01, @12:59PM
- So who in the government gets the report? by fizbin (Score:2) Thursday August 01, @01:44PM
Re:Ethics (Score:4, Insightful)
by jafac on Thursday August 01, @02:53PM (#3993997)
(User #1449 Info | http://slashdot.org/)
|
That's bullshit.
If some shadetree mechanic is working on his buddie's Camaro, and finds a manufacturing defect that ought to prompt a safety recall - he goes to the manufacturer and most likely gets promptly ignored (for the sake of argument here). He can then go to something like Consumer Affairs, but he sure as hell doesn't have to. He can go straight to the press to warn people that their Camaros (or whatever) are going to fall apart at 88 miles per hour.
That is PRECISELY what the hackers are doing - they're going to the press.
Respected, established, journalistic entities, specializing in the field of computer security. 2600 magazine, BugTraq, etc.
Not publishing a security hole, not being able to report something to the press, THAT is an abridgement of free speech. It's BULLSHIT that someone needs to be an "employed security professional" to have the right to work on computers and find bugs.
|
|
[ Reply to This
| Parent
]
|
|
| - The responsibility should belong to vendors by theLOUDroom (Score:1) Thursday August 01, @02:59PM
|
judgemental (Score:3, Insightful)
by skydude_20 on Thursday August 01, @12:01PM (#3992662)
(User #307538 Info)
|
system only works when the hackers show 'good faith'
who gets to decide what a hacker did was in 'good faith'? These proposed laws mixed with the DMCA should make the credibiliy of the system less than it is currently treading at...
|
|
[ Reply to This
| Parent
]
|
|
|
Run to Uncle Sam? (Score:4, Interesting)
by Rogerborg on Thursday August 01, @12:05PM (#3992686)
(User #306625 Info | http://slashdot.org/)
|
|
A more interesting quote is in this CNN article. [cnn.com] "A hacker should contact the software maker first, he said, then go to the government if the software maker does not respond soon." Umm, really? To whom in the government? The Department of Fixing Stuff? The FBI? The FTC? The DoJ? Gosh, that'll keep (e.g.) Microsoft on their toes. Bwahahahaha! Precedent would suggest that a more likely result will be the jailing of the hacker, and the awarding of a fat contract to the vendor. Thanks all the same, but this is just some guy in a suit. When it's written up in law by Congress, signed by G.W.Bush, and delivered to the Library of Congress by flying pig courier, I might change my mind.
|
|
[ Reply to This
| Parent
]
|
|
|
|
His Definition of Hackers. (Score:2, Insightful)
by Anonymous Coward on Thursday August 01, @12:06PM (#3992690)
|
I heard him on the radio this morning.
He encouraged hackers who are also "professionals" to look for bugs like this, and then report the bugs to the government and the software maker. There was no policy about what happens when both moribund entities laugh and sit on it.
Nor did he want the hoi-poli hackers out there looking for software bugs. He was explicit about this: Only Security Professionals Need Apply.
Allow me to take this moment to reassure that he is as disconnected from things as you could ever imagine. This is just the same crud in a new can. He will happily prosecute you if you do something to make the world better and don't wear a suit / this is not your "job" by his lights.
So don't take it too much to heart... he really didn't mean you regular people, folks.
|
|
[ Reply to This
| Parent
]
|
|
|
WarTalking Arrest? (Score:1)
by B3ryllium on Thursday August 01, @12:08PM (#3992712)
(User #571199 Info | http://www.beryllium.ca/)
|
|
But I thought that in the US you would get arrested and charged for showing that systems had vulnerabilities?
I mean, that WarTalking case doesn't exactly inspire the White-Hat Hackers to continue in their good deeds, does it?
|
|
[ Reply to This
| Parent
]
|
|
|
Another comment from me (Score:1)
by Winterblink on Thursday August 01, @12:09PM (#3992715)
(User #575267 Info | http://winterblink.com/)
|
|
Just a second comment from me on this, based on a quote in the story: "If there are legal protections they don't have that they need, we need to look at that," he said. Maybe it would be a better idea to create those protections before stepping up to the podium and announcing a call to arms to people around the world to find bugs and report them.
|
|
[ Reply to This
| Parent
]
|
|
|
|
This is Consistent (Score:1, Flamebait)
by blair1q on Thursday August 01, @12:11PM (#3992734)
(User #305137 Info)
|
This is consistent with the Administration's policy of having crooks act as policemen.
Ted Olsen.
Harvey Pitt.
John Ashcroft.
No need to remind you that this regime lost the popular vote in 2000, and recounts determined that without the Supreme Court's intervention they would have lost Florida and the electoral vote as well.
--Blair
|
|
[ Reply to This
| Parent
]
|
|
|
|
Or maybe it's... (Score:1, Offtopic)
by eyepeepackets on Thursday August 01, @12:12PM (#3992743)
(User #33477 Info)
|
Richarrd Clarke saying, "I have a cunning plan!"
|
|
[ Reply to This
| Parent
]
|
|
|
|
NPR Interview this morning ... (Score:3, Insightful)
by ayden (ayden@caroling[ ]org ['ia.' in gap]) on Thursday August 01, @12:15PM (#3992761)
(User #126539 Info | http://www.carolingia.org/KWDS)
|
I heard the NPR Morning Edition
interview [npr.org] with Richard Clarke this morning. Yes, Clarke encourages "hackers" to take find security holes, but be responsible: after discovering the security hole, notify the government and the manufacturer, but DO NOT tell the world. Clarke argues that he wants the software manufacturer to have time to develop a patch before announcing the vulnerability.
Clarke also said he wants "Computer Security Specialists" to hack and not the people doing it for fun. This ambiguity is the problem: how do you define "Computer Security Specialist"? Most of everything I learned about IT came through hacking for fun. Now I'm employed as a "Computer Security Specialist."
|
|
[ Reply to This
| Parent
]
|
|
|
|
DMCA weaking on the way? (Score:1)
by jordan_a on Thursday August 01, @12:16PM (#3992768)
(User #139457 Info)
|
"If there are legal protections they don't have that they need, we need to look at that," he said.
The first step in this would obviously to add an exception to the DMCA stating that the circumvention of security measures in a product is legal if done for research purposes.
Take this to your representative!
|
|
[ Reply to This
| Parent
]
|
|
|
Mailing address (Score:2, Informative)
by tww-china on Thursday August 01, @12:19PM (#3992801)
(User #171273 Info | http://thewrittenword.com/)
|
|
Anyone have the mailing address of the President's Critical Infrastructure Protection Board (PCIPB)? Their home page is http://www.whitehouse.gov/pcipb/ but there's no address and the email address for feedback, feedback@who.eop.gov, doesn't work.
|
|
[ Reply to This
| Parent
]
|
|
|
|
heard the report on the radio (Score:1)
by f00zbll on Thursday August 01, @12:20PM (#3992809)
(User #526151 Info)
|
|
I feel it is a positive step, but the administration needs to be more clear about what exactly they mean. Talk is cheap. When I see some legislation that improves/encourages/balances the research/report/fix/disclosure of bugs I'll smile. Until then, I'll take the perspective of hope for the best and expect the worst. Big business owns the government, so getting tough laws passed to measureably improve software security is a very tough task. The key here is measurable. Not some bs statistics that politicians can throw around. I want results.
|
|
[ Reply to This
| Parent
]
|
|
|
Can't have it both ways (Score:1)
by Ride-My-Rocket (vejitasweeps@hotmail.com) on Thursday August 01, @12:25PM (#3992841)
(User #96935 Info)
|
So now that the government (or maybe just this one particular individual) is realizing that their software isn't that secure, they want "hackers" to come foward and help them out? This, despite the fact that the DMCA subjectively outlaws this, and with the whole Tru64 thing fresh in one's mind?
If they want help, they have to make sure those who try and help out are protected by the law. You can't have it both ways.
|
|
[ Reply to This
| Parent
]
|
|
|
Why does the government have to encourage hackers? (Score:1)
by marcelkiel on Thursday August 01, @12:26PM (#3992853)
(User #564382 Info)
|
|
I don't understand why the government has to encorage experienced programmers to find security holes - the software companies should do that. They can hire experts under a contract which gives both sides the necessary legal protection. Customers can choose the products they believe to be secure enough for their use, for example ones that have been explicitly reviewed by hackers. And if they don't find a commercial product which isn't secure enough, they can switch to open source software, which has been reviewed by experienced hackers since it exists.
|
|
[ Reply to This
| Parent
]
|
|
|
INTERVIEW THIS GUY (Score:5, Interesting)
by geekoid (notities@yahoo.com) on Thursday August 01, @12:26PM (#3992854)
(User #135745 Info | http://slashdot.org/ | Last Journal: Thursday February 21, @05:37PM)
|
we need to get Richard Clarke to do a slashdot interview. I think this would be an enormous opportunity for the slashdot readers to find out what someone high up thinks about the dmca and its effects to the community. It will also give Richard Clarke the opportunity to here the concerns right from the community instead of from corp. reps.
|
|
[ Reply to This
| Parent
]
|
|
|
- "High up" != "Thinks" by Insightfill (Score:1) Thursday August 01, @01:28PM
- 1 reply
beneath your current threshold.
Re:INTERVIEW THIS GUY (Score:4, Interesting)
by pmz on Thursday August 01, @01:54PM (#3993527)
(User #462998 Info)
|
we need to get Richard Clarke to do a slashdot interview.
This is a good idea. A natural extension to this would be to invite other goverment figures, such as Justice Department officials or members of Congress. People who have an interest in federal or international technology policies might appreciate the open, yet moderated, forum of Slashdot. This could be an example of the U.S. goverment at its best.
This could be an easier way for people to "write their Congressmen", since there really is a lower courage threshold when posting to Slashdot (yes, writing Congressmen isn't trivial for many people, even though it should be).
|
|
[ Reply to This
| Parent
]
|
|
| - Re:INTERVIEW THIS GUY by jafac (Score:2) Thursday August 01, @02:46PM
|
Interresting fuel for the full-disclosure debate (Score:3, Informative)
by davebooth on Thursday August 01, @12:27PM (#3992860)
(User #101350 Info)
|
|
Disclaimer: My personal side in the above-mentioned debate is already decided. I advocate responsible full disclosure. Tell the vendor first, but dont agree to any NDAs and always make it clear to the vendor that after a reasonable delay you go public with everything you've got relating to the hole. Having proclaimed my bias, it was interesting to hear the guys own words on NPR this morning. On the positive side he correctly defined "hacker." On the negative side he clearly preferred a more restrictive disclosure policy that could be summarized as "Tell the vendor then shut the hell up and go away" When gently pressed he was prepared to allow notification of a "responsible" coordinating agency but he made very sure to never advocate anything so liberal as responsible full disclosure. I was busily making breakfast and coffee at the time so I might have missed an implication or two but these days the usual spin on "responsible" when linked to the word "agency" mean either government-sanctioned-&-corporate-owned or government-operated. Some security hackers find this a potentially scary thought. Personally, I take responsibility for my own systems security. Based on the information I have I do my best to keep them buttoned down. Only in that way can I ethically place any blame on the persons that might try and crack them. (Of course I also know my limitations - if a true expert wants to smoke my systems I know they're gone. I'll be satisfied with keeping the worms and kiddies out whilst trusting that theres nothing on my own boxes that a true expert wants badly enough to put in the effort) From this standpoint, anything other than responsible full disclosure denies me knowledge I need in order to make an informed decision about the risks I'm assuming. Similarly to do anything less myself, should I discover a security hole, is failing in my obligations to my colleagues. To my mind he's advocating using the community as a source of free QA services whilst at the same time making sure that the vendors can get away with the old oxymoron of security through obscurity. Who'd bet against a government sponsored coordinating body being followed rapidly by laws prohibiting disclosure of holes other than through that body?
|
|
[ Reply to This
| Parent
]
|
|
|
|
HP (Score:2, Interesting)
by Osiris Ani on Thursday August 01, @12:31PM (#3992879)
(User #230116 Info | http://www.osirisani.com/)
|
|
In the wake of the recent HP debacle [slashdot.org], I'd have to say that this is very interesting. Regardless of the fact that it wasn't actually SnoSoft that officially published the exploit, even if they had, Clarke is basically saying that they went about things in pretty much the most appropriate manner.
|
|
[ Reply to This
| Parent
]
|
|
|
DMCA not their realm (Score:1)
by dollargonzo on Thursday August 01, @12:32PM (#3992885)
(User #519030 Info | http://slashdot.org/)
|
sure, harmless hacking and reporting of this sort violates the DMCA; sure, they say they want legal protection for the people that help them; and sure, they will probably try to do something if you get arrested in the process of reporting a bug. if they succeed in helping you, they will claim triumph. if not, they dont really care because systems that they rely on might get bugs fixed, and there are plenty of people in reserve, even if u eliminate a few. i don't think that the advisor's reputation would be at all affected if some DMCA lawsuit ensues.
QED
|
|
[ Reply to This
| Parent
]
|
|
|
If you trust this, you deserve to be jailed... (Score:1)
by scheming daemons on Thursday August 01, @12:33PM (#3992887)
(User #101928 Info | http://www.dtfb.org/rush)
|
|
Any hacker who trusts any member of this administration is too foolish to be a free person. This has Ashcroft written all over it. First you will identify yourselves, then you will be arrested for DMCA violations. This administration is the most anti-4th Ammendment in the history of this nation. Now they produce a scheme to get hackers to unknowingly turn themselves in. Enjoy your jail time, suckers....
|
|
[ Reply to This
| Parent
]
|
|
|
Contrary to his remarks on NPR this morning (Score:3, Informative)
by JUSTONEMORELATTE on Thursday August 01, @12:33PM (#3992889)
(User #584508 Info)
|
On the drive in, NPR had an interview with this guy (Yes, I listen to NPR in the car. Yes, I'm old.) and his remarks there made it clear that he thinks reverse-engineering software to find security holes should be criminal unless the person doing it is employed as a computer security professional.
I'd rate him above-average on the clue-o-meter (certainly as federal gov't employees go!) but he's not a friend to the hackers by any stretch.
|
|
[ Reply to This
| Parent
]
|
|
|
|
Richard supports the DMCA (Score:3, Insightful)
by evenprime on Thursday August 01, @12:41PM (#3992945)
(User #324363 Info)
|
|
Be careful when you say that Clarke "encourages discovery of software bugs". On NPR this morning they mentioned Ed Felton [eff.org] and Dmitri [eff.org] (though not by name) asked Clarke if his statements at blackhat was consistent with the government's prosecution of people who find holes in software. Clarke responded that US law prohibits people who are not "security professionals" from intentionally looking for security holes in software, and that the reverse engineering of software to find holes in it is prohibited.
|
|
[ Reply to This
| Parent
]
|
|
|
|
Dear Hacker... (Score:1)
by phillymjs on Thursday August 01, @12:42PM (#3992947)
(User #234426 Info | http://slashdot.org/)
|
...Congratulations! You have won a FREE motorboat^H^H^H^H^H^Hcomputer!
Please pick it up in person today at the Springfield PD^H^H^H^H^H^HFBI Headquarters.
Signed,
Chief Wiggum^H^H^H^H^HJohn Ashcroft
|
|
[ Reply to This
| Parent
]
|
|
|
What's with insulting "Dubya" talk? (Score:1, Offtopic)
by Chuck Messenger on Thursday August 01, @12:42PM (#3992949)
(User #320443 Info)
|
|
Was there a particular reason to be insulting Bush? Or is that just sort of taken as given -- that we all hate Bush?
|
|
[ Reply to This
| Parent
]
|
|
|
|
What is mine? (Score:4, Insightful)
by gmhowell (gmhowell@@@comcast...net) on Thursday August 01, @12:46PM (#3992972)
(User #26755 Info | http://brewnix.sourceforge.net/ | Last Journal: Wednesday July 24, @07:33PM)
|
What is 'my system'? I am responsible for the whole shebang: NT servers, 2k terminal servers, Linux firewalls and web servers, NT desktops, wireless access points.
How can I attack my own systems without attacking someone else's 'intellectual property' or some such BS? I can't. But by the terms of the licenses (even the GPL and BSD, I believe) I can't blame the people I got the software from.
Anyone living in the US, connecting to the US, or who has even heard of the US should not be doing computer security. Anyone who is doing even a reasonable job of it is checking into and poking into the products supplied by vendors. But this is illegal. The vendors can't be blamed. Only you. You can be blamed, but you don't legally have the right to do the thing/s that will make your work effective.
Run. Run and hide.
I said it in a response to a journal on this story (posted yesterday, BTW) but I'll say it again: in a fight between this guy and Ashcroft (which is what this essentially is), Ashcroft will win every time. The only way to get around the problem is to invalidate the disclaimer of warranty of merchantibility of a product. If nothing else, computer software must be fit for a specific purpose. At that point, GM and Walmart become aligned with anti-DMCA forces. Then Microsoft and the Senator from Disney get to see REAL political power.
|
|
[ Reply to This
| Parent
]
|
|
|
|
Get out of jail free card (Score:2)
by Shagg on Thursday August 01, @12:49PM (#3993001)
(User #99693 Info)
|
So if a member of the executive branch of the government publicly encourages you to break a law (DMCA), and you're then arrested, it would be considered entrapment right?
|
|
[ Reply to This
| Parent
]
|
|
|
Sure...hack & get thanked..then get arrested! (Score:2)
by Newer Guy on Thursday August 01, @12:54PM (#3993042)
(User #520108 Info)
|
Does anyone really trust these clowns?
I mean, their past actions truly don't inspire a single grain of trust. Look at last week where the guy in Houston got busted by the court house for EXPOSING their wifi total lack of security (remember that they claimed he did $5000.00 in damage - no doubt that's exactly how much they paid for all the wifi stuff they had to shut down). Plus...just look at how easy they make it...try to do one good thing and some lawyer begins the mantra: DMCA..DMCA..DMCA.
Nice words you speak guy, but what did Clara say in the Wendy's commercials: "Where's the beef?"
Until I see the beef, I'm not trusting a single word you say....
|
|
[ Reply to This
| Parent
]
|
|
|
What about.... (Score:1)
by Shmoe on Thursday August 01, @01:00PM (#3993107)
(User #17051 Info)
|
|
The guy charged with hacking for letting the court house know about the unsecured access point in the court room? If they encourage us to let them know of holes in systems, are they encouraging us to step forward and be charged as criminals?
|
|
[ Reply to This
| Parent
]
|
|
|
Rehash of NPR's Morning Edition Interview (Score:5, Interesting)
by AB3A on Thursday August 01, @01:06PM (#3993167)
(User #192265 Info | http://slashdot.org/)
|
I heard this interview this morning. What he said was not encouraging. He wants "security professionals" to do the hacking --not programmers or kids down the street. He wants them to reveal the exploit without offering code demonstrating it, and he wants to keep it all secret. He made no mention of any time limits before one should give up and go public with this information.
So let me see where this puts us. Phred Programmer discoveres a buffer overflow that crashes IE. He tells his security professional about his discovery. Our "security professional" says "what's a buffer overflow?" and the whole thing falls on the floor.
Wait, let's try this again. Phred Programmer discovers a buffer overflow problem that crashes IE. He puts on his "security professional" hat and calls Microsoft. Microsoft says "So what? It crashes. BFD. We'll fix it on the next major release."
Phred Programmer waits until the next major release and the mess is still there. Remember, he's not supposed to write code to demonstrate this problem, or the potential harm, so Microsoft has no idea whether they've really fixed this problem.
So Phred Programmer calls the feds. They respond with "Huh? What's the big deal?" "Well, you could exploit this and hack with full administrator priviliges", says Phred Programmer. "Sounds far-fetched" say the feds. "But just in case you're right, I don't want you writing any code. Why don't you post your notions with Microsoft?" "But I already have and they promised a fix by the next major release", complains Phred Programmer.
"Hmm. We'll have to take it up with them."
And so, another major release goes by and still nothing. Meanwhile, somebody else figures out the breeched security and because the don't live in the US, they post a script for the kiddies to use.
Back to the present: Somebody explain to me why this scenario is not likely. Restricting this information to "security professionals" seems to me like an effort to sweep security problems under the rug.
Richard Clark's ideas suck, IMNSHO. He clearly has no concept of how bugs are discovered, demonstrated, and how the repair of those bugs is prioritized by software companies. Does anyone here really think Microsoft would have fixed those buffer overflow problems if no-one had written an exploit and published it? Does anyone here think that users in other countries will have any respect for stupid US policy (never mind the law)? Sheesh.
|
|
[ Reply to This
| Parent
]
|
|
|
Hacking for "Security Professionals" only (Score:5, Insightful)
by Mr.Sharpy on Thursday August 01, @01:15PM (#3993250)
(User #472377 Info)
|
This guy was on NPR this morning. When asked about his remarks in context of the laws against such hacking he specifically said that he was talking about hacking by "security professionals" only and then only for the purpose of quietly notifying the software maker. In fact, he explicitly said it should remain illegal for any regular joe to hack or reverse engineer software looking for exploits just for the fun of it.
This guy is not your friend. He, like the rest of the administration, is solely concerned with corporate interests. What he has in mind here is definitely not exposing exploits and causing bad corporate PR. It is the quiet uncovering of holes and the quiet informing of the software makers so they can issue mystery patches.
The reasoning behind that I suppose is to keep malicious hackers from using public exploits. But in reality, by the time the so called "security experts" stumble on the holes, the real evil hackers have already known about them for a long time. This is just more the "keep the problem secret and it will go away" policy that has gotten us into trouble.
|
|
[ Reply to This
| Parent
]
|
|
|
|
Ethical Responsiability (Score:1)
by zenray on Thursday August 01, @01:22PM (#3993303)
(User #9262 Info | Last Journal: Friday July 26, @09:58AM)
|
The way I see this issue is that I have an ethical responsibility to other users of a product to inform them of any security flaws I find. The EULA of most propriety software contain disclaimers as to fitness of use and the end users have no legal recourse for any damages incurred. In other words they put out crappy, bug ridden, security flawed software and they expect use to shut up and just use it. To not publish any security problem is to leave every user unaware of the problem and therefore open to potential damage. I say full public disclosure up front of all bugs and security problems with just enough technical detail to verify the problem. No need to provide the script kiddies with automatic tools that they can use. Perhaps the propriety software companies will start to put out a better quality product if they know that any security problem or bug will be quickly published. The end users decision might be to start using some open source software that can be fixed a lot quicker than the insecure propriety software.
|
|
[ Reply to This
| Parent
]
|
|
|
April Fools? (Score:1, Flamebait)
by jheinen on Thursday August 01, @01:26PM (#3993329)
(User #82399 Info | http://slashdot.org/)
|
Wasn't April a few months ago? You expect me to believe a high-placed government official has expressed an opinion that hacking could be something other than evil terrorism which threatens the foundations of our society and the American Way(TM)?
I wonder when he'll be replaced.
|
|
[ Reply to This
| Parent
]
|
|
|
|
Picky, picky, picky... (Score:2)
by Mulletproof on Thursday August 01, @01:55PM (#3993533)
(User #513805 Info)
|
"but I guess saying 'Bush Adviser Encourages Discovery of Software Bugs' just didn't have enough zing."
Getting a little nit-picky here? I suspect he used hackers to describe anybody who can gain unauthorized access to otherwise restricted systems, not someone who is encouraged to find out why a "bug" caused the DoD's wargames application to crash. Yep, there's a reason he used the word "hacker" and not "software bugs hunter". I know entry can be exploited using system bugs, but hacking is obviously more than just exploiting "bugs", or did the poster just happen to miss the story immedietly following this one? [slashdot.org] A hacker is a combination of skills, not just a "bug hunter"... Which is probably why good ol' Clark used the popular definition in the first place.
|
|
[ Reply to This
| Parent
]
|
|
|
| 14 replies
beneath your current threshold. |
|
(1)
|
2
(Slashdot Overload: CommentLimit 50)
|
U.S. Computer Security Advisor Encourages Hackers
