5 min read

Business Technology: Not Black Hats For Nothing

Let's take a hypothetical situation--could be any company that makes software for use by businesses and other large organizations.
Let's take a hypothetical situation--could be any company that makes software for use by businesses and other large organizations. The vendor learns of a security flaw in its product. The vendor quickly creates a terrific patch and immediately notifies all of its customers that the free patch is available on its Web site. Only about half of the customers install the patch. Meanwhile, the bad guys also learn about the flaw and go on the offensive because they know that for whatever reason, only about half of all customers will repair the hole. Attacks are launched, penetrations are made, mayhem ensues, and the attendant media coverage befouls the image of the software vendor that created the software that needed a patch that got the fix that half of all customers ignored that let the hackers storm the network.

One approach is The Blame Game, in which various factions point various fingers oriented in various ways at or toward those they believe to be the real villains. Some will blame the software vendor for not creating perfect code--we might call these the Don Quixote Brigade. Others will blame the customers for not installing the patches--maybe their team name should be Attack The Symptom And Ignore The Disease. Then there are the hackers themselves, the malicious criminals who plan and launch these electronic assaults--we'll call them what they are, which is the Loathsome Bastards. And these days, no doubt, there are some on the otherworldly fringes who will blame it all on Corporate Greed--we'll call that team Silly.

But for thousands of people, a year after the disaster is too soon to move on. "I lost my daughter and my sister on Sept. 11," said Marie Barbosa, 80, as she rested on a bench outside a bookstore on Court Street in Brooklyn. For Ms. Barbosa, Sept. 11 will be just another day of profound grief and sorrow, but she said the city needed to pause and remember. "The plans the city has, the reading of the names, that would be really nice," she said. "People should see all this and realize what it did to us. It's something that nobody should forget." An elderly woman pushing a shopping cart festooned with American flags a few blocks from Ground Zero wouldn't even talk about Sept. 11. "That's like a tombstone right in my heart," she said, pushing a reporter's notepad away.

-- The New York Times, Aug. 8, 2002

So against such a backdrop, what's the responsibility of the party of the first part, the software vendor that created the product? Should it use every available means to learn about, correct, and inform its customers and partners of the problem as quickly as possible? One company, Hewlett-Packard, recently decided to shoot (well, threaten to sue) the messenger, which in this case was a security-services firm that had published code showing a serious hole in HP's Tru64 Unix operating system. (For the full story by senior editor George V. Hulme and related links, go to "HP Threatens Legal Action Against Security Group," Aug. 5, p. 24). One possible repercussion of such attempts to stifle open discussion of security flaws would be that more of those holes remain open, vulnerable, and unpatched until they're found and exploited by hackers. Or, as Hulme wrote in his article in quoting a security consultant: "It comes down to [the fact that] corporations don't want to be embarrassed."

The suggestion here is that HP and all other software makers decide to take the route of greater visibility and awareness and that they work in concert with all reputable security firms to post, fix, and patch vulnerabilities. And that they conserve their legal wrath for the real enemy, the Loathsome Bastards, and go after them with relentless and remorseless vigor.

In this context, then, what are we to make of another security-related news item we reported last week: that White House cybersecurity adviser Richard Clarke spoke at the recent Black Hat conference, urging the hacker attendees to stay on the right side of the law? (See "Hack Away?" Aug. 5, p. 17). Clarke told the Black Hatters that he finds it "very disappointing" when companies press charges against hackers acting in good faith and also said the government is considering legislation that would protect such white-hat actions.

Until now, Clarke seems to have been doing all the right things in his highly challenging role, but I really have to wonder about the wisdom of putting the burden of proof on the victim. Who's to say, other than the company that was hacked, whether the hackers acted in "good faith"? And do we really want to enact legislation protecting such illegal activity, no matter how pure the motives? "Yes, officer, I was secretly in another person's home at 2:30 a.m. stuffing jewels and money into a sack, but I did it because I thought those things were emitting gamma rays that could harm the family that lives there and I don't know what intentions could be better than that." Mr. Clarke, they don't call themselves Black Hats for nothing.

Bob Evans
[email protected]

To discuss this column with other readers, please visit Bob Evans's forum on the Listening Post.

To find out more about Bob Evans, please visit his page on the Listening Post.