Users login

Create an account »


Users login

Home » Hacking News » 'White Hat' Hackers Threaten Information Anarchy

'White Hat' Hackers Threaten Information Anarchy

by Majik on November 6th, 2001 Responding to an effort by Microsoft [NASDAQ:MSFT] to squelch the full disclosure of software vulnerabilities, a group of "white hat" hackers is putting out a call to other experts, asking them to deluge software vendors with bug reports.

"Let's flood the security department of every vendor with new issues. Let's show the world what they would miss and what information could just as easily have stayed in the underground," wrote a security researcher who uses the nickname "HellNbak," in an announcement posted to several security mailing lists last week.

So far, only one prominent organization has signed on to the "Information Anarchy 2K01" initiative - a group known as Nomad Mobile Research Center, of whom HellNbak is a member.

The call to arms comes as Microsoft convened its Trusted Computing conference in Mountain View, Calif., today, and is expected Wednesday to further its push for an industry consensus against disclosing details on security vulnerabilities.

That effort to block security experts from publishing "exploits" was formally launched last month with the publication of an essay by Scott Culp, the head of Microsoft's security response center, entitled "It's Time to End Information Anarchy."

The company is expected to put forth a formal proposal this week in the form of a request for comment with the Internet Engineering Task Force, an industry standards-setting body.

Sources said Microsoft also has recently been lobbying senior management at major security consulting firms over the issue, and at least one unspecified company has agreed to adopt Microsoft's vision of "responsible" disclosure.

"If companies don't start taking a more responsible approach, some of the ramifications could be bad," including new laws criminalizing the release of exploit code, said Chris Klaus, founder and chief technology officer for Internet Security Systems. According to Klaus, ISS has long considered the public release of "proof of concept" programs that exploit software holes "the equivalent of giving burglar tools to everyone."

But if Microsoft succeeds in shutting off open discussions of security vulnerabilities, the conversation will merely go underground to the world of "thieves, spies, and never-do-wells," according to Richard Forno, chief technology officer for Shadowlogic, a Virginia-based security consulting firm.

"HellNbak is correct. ... We need this public discourse, without which the Internet community is placed in serious, uninformed, corporate-controlled jeopardy," said Forno.

Among those scheduled to present at the Microsoft conference is Chris Wysopal, director of research and development for AtStake, a security consulting firm that includes former members of L0pht, a group that in the past has released several tools that exploit security weaknesses.

Wysopal, who also uses the hacker nickname "Weld Pond," said he will outline his views on the need for vulnerability reporting standards.

At present, AtStake's disclosure policy specifies that the firm may release full technical details, including "non-gratuitous" exploit code, 12 days after notifying a vendor of a security vulnerability, according to a statement of the policy at the AtStake site.

While HellNbak reported that he has seen considerable interest from independent security consultants, the Information Anarchy proposal is unlikely to have its intended effect, according to Elias Levy, chief technology officer for SecurityFocus.

"He is calling for people to release vulnerabilities, but he is also calling for people to do so responsibly. So I fail to see how that is any different than what we do today," said Levy.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »