Silence the best security policy

spod

interesting article...
http://news.excite.com/news/zd/000726/18/silence-the-best

Silence the best security policy


Updated 6:58 PM ET July 26, 2000
Current quotes (delayed 20 mins.) YHOO 133 7/16 -2 1/2 (-1.84%)
EBAY 50 -2 11/16 (-5.10%)
ZDZ 16 11/16 -3/4 (-4.30%)
IBM 110 1/8 (0.11%)

by Robert Lemos, ZDNet News

Well-meaning hackers are creating an army of "script kiddies" by making security holes public, says a speaker at the Black Hat Security Conference.

LAS VEGAS -- Should security holes be hushed up?

Long controversial, the policy of disclosing software vulnerabilities to the public was subject to open attack in a Wednesday keynote at the Black Hat Security Conference.

Marcus Ranum, chief technology officer for intrusion detection software maker Network Flight Recorder Inc., used hard language to say that security can't be improved unless "gray hat" hackers stop disclosing security holes to the public and stop creating tools for so-called "script kiddies" to exploit the holes.

"Full disclosure is creating armies and armies of script kiddies," said Ranum, who called the creators of hacking tools "weapons dealers" who aren't really concerned with security.

"Distributing these tools is not helping," he said.

The problem with tools

Hacking tools have caused much of the chaos on the Internet in recent years.

The February denial-of-service attacks against eight major Internet sites -- among them Yahoo! Inc., eBay Inc. and ZDNet Inc. -- used tools created by a gray hat hacker in Germany known as Mixter.

The Melissa virus and the ILOVEYOU worm plagiarized much of their innards from other viruses that came before. And Web vandals tend to use only a handful of exploits to compromise vulnerable sites just enough to post digital graffiti.

"We are creating hordes and hordes of script kiddies," Ranum said. "They are like ****roaches. There are so many script kiddies attacking our networks that it's hard to find the real serious attackers" because of all the chaotic noise.

'It's a social problem'

The main problem is that hacking has become, to some degree, socially acceptable. "Every single conference out there that is supposed to be teaching the network community about security is at the same time pandering to the hacking community," Ranum said.

"It is not a technical problem," he added. "It's a social problem. We need to come down hard and fast on these people."

Moreover, in the burgeoning security software industry, poking holes in a rivals' product is good business, said Ranum.

Media coverage of a company's seemingly tech-savvy ability to find security holes can be a boon, while showing weaknesses in other's products can be equally lucrative.

"A lot of the vulnerabilities that are being disclosed are researched for the sole purpose of disclosing them," he said. "Someone who releases a harmful program through a press release has a different agenda than to help you."

A large portion of security experts go home and write tools at night for script kiddies.

Hacking to become terrorism?

That's set to change, Ranum said.

Over the next few years, society's tolerance of hackers will lessen once hacking is regarded as "non-ideological terrorism," he said. As home users increasingly find themselves the target of hackers, there will be less and less patience with break-ins.

"In the next five years, we are going to move to a counterterrorism model," he said. "It will turn into a witch hunt, unless we stop the script kiddies today."

Ranum's message to the creators of tools: "Why don't you do something useful."

sam

that guy is talking through his ****

instead of telling people what to do

Ranum's message to the creators of tools: "Why don't you do something useful."

is he paying them to do something "useful"??
why doesnt he (and possibly his intrusion detection company) fix those security holes, or design a better system.. im sure he'd spend a lot of time fixing security holes if he knew that only 5 people knew how to exploit those holes..
this was exactly microsofts policy, "silence", they always tried to say "our system doesnt contain flaws" etc., and they are always the last to tell anyone about any bugs/security holes in their systems, where did this get them? theyre at the stage where they are probably the easiest systems to crash/infiltrate for anyone who has half a clue, whereas with systems with a policy of full disclosure (eg. linux) you have a system far harder to bring down/infiltrate

Hobbes

Fixing a hole will only get you so far, most l33tards just move onto the next program of choice.

But if the person has the cops knocking on thier door because of what they did you'll find most will change thier tune.

The FBI already have an online site to shop in script kiddies.

spod

It's a hard one to call. There are definite pros and cons to full disclosure. I'm generally in favour of it, however I would have to agree with this point from ramun:

"A lot of the vulnerabilities that are being disclosed are researched for the sole purpose of disclosing them," he
said. "Someone who releases a harmful program through a press release has a different agenda than to help
you."

it's a strange modern ethics question which isn't going to go away but is fun to think about...