Good guys wearing black hats

How frustrating! Just after I had sent last week's rant against Hewlett-Packard's stupid initial reaction to being told about a security problem with its operating system to my editor, I left for a few days of relaxation in California. The next morning I read that the U.S. cybersecurity czar was encouraging hackers to ferret out security vulnerabilities in commercial software. That sure would have been a good tagline for the column, but it was just a few days too late. So I'll write about it now.

Richard Clarke, President Bush's special adviser on cyberspace security, gave a keynote speech to the Black Hat security conference in Las Vegas, sponsored by nine companies including PricewaterhouseCoopers, Nortel and Microsoft. He blasted companies, particularly those selling wireless network equipment and ISPs offering broadband Internet access, for not providing meaningful security.

Not coincidentally, the same day that the Black Hat conference story broke, the U.S. Department of Defense announced it is going to prohibit the use of most wireless devices inside military buildings in the near future. This will include cell phones, wireless handhelds and wireless laptops. All because, to the closest approximation, there is no security on these devices. Gee, they are getting picky!

Clarke also said at the Black Hat event, "Some of us, here in this room, have an obligation to find the vulnerabilities [in commercial software]." He cautioned that software vendors should be told about any vulnerabilities that were discovered rather than the information just being made public. That way, the vendor would have the chance to put out a fix before the bug became widely known. He also recognized that some vendors seem less than interested in fixing security problems and told the hackers that they should report vulnerabilities to the government in that case.

Clarke suggested that laws might be needed to protect hackers that act in good faith. He did not mention it, but one thing that might be needed is a "clarification" of the Digital Millennium Copyright Act to prevent a company more interested in protecting weak software than fixing it from using the DMCA as a stick to poke people in the eye.

It is very good news that someone from this, or any government, understands that the best security happens when systems are tested. The alternative is to bet on the omniscience of programmers and the stupidity of the bad guys. This does not seem like a good bet when the economic health and security of this and other societies are the table stakes.

Now if there were only some real incentive for vendors to put out secure systems and to provide quick, well-tested and easy-to-install fixes when flaws are found. The cost of last year's Nimba virus was about $3 billion. Maybe if the vendor of the vulnerable software had to pay some of that cost it would make the vendor wake up.

Disclaimer: $3 billion would even make Harvard wake up, but the university did not offer the above opinion, I did.

RELATED LINKS