Rules to Address Holes in Software
As the cost of securing data against malicious attacks continues to escalate, big technology companies and security researchers are stepping up efforts to control the spread of information about software holes that make computers vulnerable to hackers.
Yet they fear they are not moving fast enough to avert a wave of lawsuits and legislative action that could impose strict rules on corporate software buyers, criminalize the work of some security researchers or hold companies like Microsoft Corp. liable for attacks on their customers.
“It’s not a matter of if but when there will be new regulation,” said Vincent Weafer, senior director of incident response at Symantec Corp. in Cupertino, Calif., which makes anti-virus and other security software.
Overall data security, which wasn’t very good to begin with, has been getting worse as software is designed to do more things and connect more people. Hackers and other researchers have been finding flaws with increasing frequency, and saboteurs are exploiting those flaws by designing viruses, worms and other programs at ever faster rates.
That’s why most security researchers agree not to publicize the holes they find until target software makers come up with patches and distribute them to customers.
Now some of the biggest names in technology are trying to formalize the process by crafting guidelines to govern when security holes are disclosed and the corresponding patches are released. Working under the auspices of the Organization for Internet Security, Microsoft, Symantec, Oracle Corp. and other companies are hammering out rules they hope will pressure bug finders not to publicize their findings until it is deemed safe for them to do so.
“We think it will improve the situation,” said Scott Culp, senior security strategist for Microsoft.
The guidelines, which don’t have the force of law, lay out nearly a hundred steps for what a person should -- and shouldn’t -- do after finding a hole. They also govern the appropriate responses for the company that wrote the faulty software.
At first, the plan says, a hacker should notify the software maker and refrain from publicizing the vulnerability. The software company, in return, is supposed to keep the hacker informed as it conducts tests and develops a patch, a process that should take about a month.
Then another month is supposed to elapse before the hacker may broadcast details about the problem he or she found.
If no software patch can be developed, according to the Organization for Internet Security, those details should never be released.
So far, the guidelines have won over few hackers who work for small companies or on their own.
“It’s retarded,” said Dave Aitel, a respected hacker and veteran of the National Security Agency.
Aitel and others complain that companies will falsely claim they can’t construct a patch, leaving hackers no opportunity to publicize the flaws they find.
“The only people who will benefit ... are the vendors, the criminals and” malicious hackers, Eric Raymond, a leading technical author, wrote to the Internet security group.
If a patch does come out, experts fear, talented virus writers will study it and work backward to find the underlying problem. Then they’ll write a malicious program to exploit it, as they did with the Blaster worm this summer.
Meanwhile, many systems administrators will be reluctant to install the patch for the month before they know the underlying problem, since many patches turn out to have bugs themselves.
“The net result is that attackers will have a head start,” said Byrne Ghavalas, a researcher with Network Security Consulting Services in Reading, England.
Still, big tech companies feel they have to do something. They fear Congress will pass laws holding them responsible when hackers breach the software they create, an approach being advocated by the National Academy of Sciences. Rep. Adam Putnam (R-Fla.), chairman of a House subcommittee on information technology, recently warned that the next time a major Internet virus strikes, Congress will be under extreme pressure to do something dramatic.
In the meantime, lawsuits and threats of legal action are piling up. A Los Angeles woman is seeking class-action status for her 2-month-old suit against Microsoft, arguing that it ran afoul of a new California law requiring companies to let customers know when hackers gain access to personal information.
More commonly, software companies are threatening to sue hackers who expose holes in their products. Hewlett-Packard Co., SunnComm Technologies Inc. and GameSpy Industries Inc. all have issued threats under the Digital Millennium Copyright Act, a 5-year-old law that prohibits distribution of some software code based on reverse-engineering. HP and SunnComm withdrew their threats after an outcry from security experts; GameSpy succeeded this month in forcing an Italian researcher to delete references to GameSpy bugs from his Web site.
“This is a battlefield,” said Jennifer Granick, a cyber law specialist at Stanford University’s Center for Internet and Society.
In response, some hackers are trying to pool their resources by creating a trade group.
Thor Larholm, a 23-year-old researcher at security consulting firm PivX Solutions of Newport Beach, said his as-yet-unnamed group would have as many as 800 members when it is announced around the end of the year. Their top priority is to fight the guidelines from the Organization for Internet Security, and they might lobby Congress on related issues as well.
Larholm said that if the OIS rules were enshrined in law, they would threaten the livelihoods of some hackers who make a legitimate living finding security holes and then helping to fix them.
“If you are required to tell the company the vulnerability, how can you possibly negotiate” a price for your efforts, said President Bob Weiss of Password Crackers Inc., a North Potomac, Md., firm that helps companies recover information hidden on their machines.
With fewer business opportunities, some hackers may migrate to the black market, where they can earn $5,000 selling programs that take advantage of an unpublicized hole to spammers, organized crime figures and other unsavory customers, said Mark Loveless, a BindView Corp. security researcher and former malicious hacker.
But he said the larger worry was that new laws, proposed legislation and the OIS guidelines were combining to undermine the security of computer networks.
“It all points to the direction of less information,” he said.