Information Security News mailing list archives
Silence the best security policy
From: InfoSec News <isn () C4I ORG>
Date: Thu, 27 Jul 2000 04:50:49 -0500
http://www.zdnet.com/zdnn/stories/news/0,4586,2608077,00.html By Robert Lemos, ZDNN July 26, 2000 3:58 PM PT LAS VEGAS -- Should security holes be hushed up? Long controversial, the policy of disclosing software vulnerabilities to the public was subject to open attack in a Wednesday keynote at the Black Hat Security Conference. Marcus Ranum, chief technology officer for intrusion detection software maker Network Flight Recorder Inc., used hard language to say that security can't be improved unless "gray hat" hackers stop disclosing security holes to the public and stop creating tools for so-called "script kiddies" to exploit the holes. "Full disclosure is creating armies and armies of script kiddies," said Ranum, who called the creators of hacking tools "weapons dealers" who aren't really concerned with security. "Distributing these tools is not helping," he said. The problem with tools Hacking tools have caused much of the chaos on the Internet in recent years. The February denial-of-service attacks against eight major Internet sites -- among them Yahoo! Inc., eBay Inc. and ZDNet Inc. -- used tools created by a gray-hat hacker in Germany known as Mixter. The Melissa virus and the ILOVEYOU worm plagiarized much of their innards from other viruses that came before. And Web vandals tend to use only a handful of exploits to compromise vulnerable sites just enough to post digital graffiti. "We are creating hordes and hordes of script kiddies," Ranum said. "They are like cockroaches. There are so many script kiddies attacking our networks that it's hard to find the real serious attackers" because of all the chaotic noise. 'It's a social problem' The main problem is that hacking has become, to some degree, socially acceptable. "Every single conference out there that is supposed to be teaching the network community about security is at the same time pandering to the hacking community," Ranum said. "It is not a technical problem," he added. "It's a social problem. We need to come down hard and fast on these people." Moreover, in the burgeoning security software industry, poking holes in a rival's product is good business, Ranum said. Media coverage of a company's seemingly tech-savvy ability to find security holes can be a boon, while showing weaknesses in other's products can be equally lucrative. "A lot of the vulnerabilities that are being disclosed are researched for the sole purpose of disclosing them," he said. "Someone who releases a harmful program through a press release has a different agenda than to help you." A large portion of security experts go home and write tools at night for script kiddies. Hacking to become terrorism? That's set to change, Ranum said. Over the next few years, society's tolerance of hackers will lessen once hacking is regarded as "non-ideological terrorism," he said. As home users increasingly find themselves the target of hackers, there will be less and less patience with break-ins. "In the next five years, we are going to move to a counterterrorism model," he said. "It will turn into a witch hunt unless we stop the script kiddies today." Ranum's message to the creators of tools: "Why don't you do something useful." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Silence the best security policy InfoSec News (Jul 27)