Business Technology: Not Black Hats For Nothing - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:53 PM

Business Technology: Not Black Hats For Nothing

Let's take a hypothetical situation--could be any company that makes software for use by businesses and other large organizations. The vendor learns of a security flaw in its product. The vendor quickly creates a terrific patch and immediately notifies all of its customers that the free patch is available on its Web site. Only about half of the customers install the patch. Meanwhile, the bad guys also learn about the flaw and go on the offensive because they know that for whatever reason, only about half of all customers will repair the hole. Attacks are launched, penetrations are made, mayhem ensues, and the attendant media coverage befouls the image of the software vendor that created the software that needed a patch that got the fix that half of all customers ignored that let the hackers storm the network.

One approach is The Blame Game, in which various factions point various fingers oriented in various ways at or toward those they believe to be the real villains. Some will blame the software vendor for not creating perfect code--we might call these the Don Quixote Brigade. Others will blame the customers for not installing the patches--maybe their team name should be Attack The Symptom And Ignore The Disease. Then there are the hackers themselves, the malicious criminals who plan and launch these electronic assaults--we'll call them what they are, which is the Loathsome Bastards. And these days, no doubt, there are some on the otherworldly fringes who will blame it all on Corporate Greed--we'll call that team Silly.

But for thousands of people, a year after the disaster is too soon to move on. "I lost my daughter and my sister on Sept. 11," said Marie Barbosa, 80, as she rested on a bench outside a bookstore on Court Street in Brooklyn. For Ms. Barbosa, Sept. 11 will be just another day of profound grief and sorrow, but she said the city needed to pause and remember. "The plans the city has, the reading of the names, that would be really nice," she said. "People should see all this and realize what it did to us. It's something that nobody should forget." An elderly woman pushing a shopping cart festooned with American flags a few blocks from Ground Zero wouldn't even talk about Sept. 11. "That's like a tombstone right in my heart," she said, pushing a reporter's notepad away.

-- The New York Times, Aug. 8, 2002

So against such a backdrop, what's the responsibility of the party of the first part, the software vendor that created the product? Should it use every available means to learn about, correct, and inform its customers and partners of the problem as quickly as possible? One company, Hewlett-Packard, recently decided to shoot (well, threaten to sue) the messenger, which in this case was a security-services firm that had published code showing a serious hole in HP's Tru64 Unix operating system. (For the full story by senior editor George V. Hulme and related links, go to "HP Threatens Legal Action Against Security Group," Aug. 5, p. 24). One possible repercussion of such attempts to stifle open discussion of security flaws would be that more of those holes remain open, vulnerable, and unpatched until they're found and exploited by hackers. Or, as Hulme wrote in his article in quoting a security consultant: "It comes down to [the fact that] corporations don't want to be embarrassed."

The suggestion here is that HP and all other software makers decide to take the route of greater visibility and awareness and that they work in concert with all reputable security firms to post, fix, and patch vulnerabilities. And that they conserve their legal wrath for the real enemy, the Loathsome Bastards, and go after them with relentless and remorseless vigor.

In this context, then, what are we to make of another security-related news item we reported last week: that White House cybersecurity adviser Richard Clarke spoke at the recent Black Hat conference, urging the hacker attendees to stay on the right side of the law? (See "Hack Away?" Aug. 5, p. 17). Clarke told the Black Hatters that he finds it "very disappointing" when companies press charges against hackers acting in good faith and also said the government is considering legislation that would protect such white-hat actions.

Until now, Clarke seems to have been doing all the right things in his highly challenging role, but I really have to wonder about the wisdom of putting the burden of proof on the victim. Who's to say, other than the company that was hacked, whether the hackers acted in "good faith"? And do we really want to enact legislation protecting such illegal activity, no matter how pure the motives? "Yes, officer, I was secretly in another person's home at 2:30 a.m. stuffing jewels and money into a sack, but I did it because I thought those things were emitting gamma rays that could harm the family that lives there and I don't know what intentions could be better than that." Mr. Clarke, they don't call themselves Black Hats for nothing.

Bob Evans
[email protected]

To discuss this column with other readers, please visit Bob Evans's forum on the Listening Post.

To find out more about Bob Evans, please visit his page on the Listening Post.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll