Taken directly from MSNBC.COM.
LAS VEGAS, July 31 — An adviser to President Bush encouraged top computer security professionals and hackers Wednesday to try to break computer programs, offering to support and protect good-faith researchers from the legal wrath of software makers.
RICHARD CLARK, Bush’s computer security adviser, told hackers at the Black Hat conference that most security holes in software are not found by the software makers but by independent users.
“Some of us, here in this room, have an obligation to find the vulnerabilities,” Clarke said.
Government-funded computer research facilities have identified thousands of vulnerabilities in computer software over the past year, including those in Microsoft operating systems and programs by companies such as Oracle, Sun and America Online. Such vulnerabilities can allow criminals to break into or disrupt home or business computers. (MSNBC is a Microsoft - NBC joint venture.)
Clarke cautioned that hackers should be responsible in reporting programming mistakes. A hacker should contact the software maker first, he said, then go to the government if the software maker does not respond soon.
Hackers commonly share their findings with others in their community through e-mail lists or Web sites. But how much they should disclose is a running debate among computer security professionals. Some argue that full disclosure is best; others say a hacker should only warn that a problem exists without showing how to take advantage of it.
Clarke said hackers should not help criminals by showing how to exploit a programming bug before the software maker has a chance to fix the problem by issuing a patch, or fix.
“It’s irresponsible and sometimes extremely damaging to release information before the patch is out,” Clarke said.
Companies differ in their response to independent researchers. While some encourage or even reward bug-hunters, others are more concerned about the possibility of extortion or embarrassment to the company. In some instances, they seek civil or criminal charges against the hacker.
Clarke said that situation is “very disappointing,” as long as the hacker acts in good faith.
“If there are legal protections they don’t have that they need, we need to look at that,” he said.
Black Hat, sponsored by PricewaterhouseCoopers, Microsoft and other companies, consists of two days of presentations showing how to both break into and protect computer networks.
Other government employees were scheduled to speak, including a National Security Agency official. The Justice Department promised to update how new anti-terrorism laws affect computer security investigations.
Clarke offered a more detailed preview of the nation’s plan to protect cyberspace, which his office is coordinating with the help of industry and computer experts. That plan, which Clarke called a “living document,” will be released in September.
Clarke warned about vulnerabilities in cheap and simple wireless networks, which are becoming popular in businesses and homes. Most wireless networking products are extremely easy to break into — even from a person in a car driving by several hundred yards away. They are sold with almost no security options enabled.
Clarke said it is a failure of technology makers to sell the networks without sufficient protection and a failure of government to let it happen.
“Until we have a better, proven track record with the wireless (networks), we all should shut them off until the technology gets better,” Clarke said.
The conference organizers did not take Clarke’s advice, however. The Las Vegas hotel had a wireless network for the benefit of attendees, but its poor security prompted the hotel to make the network free so that laptop-armed hackers at the conference would not be tempted to seek out credit card numbers passed over the airwaves.
The Defense Department said this week it is finalizing new restrictions on the use of wireless devices.
Clarke urged software companies to develop products with security in mind. He said he was outraged that telephone and cable companies provide high-speed Internet access to home users but do not also provide easy-to-use security software.
“Millions of households are getting connected and therefore getting vulnerable” to online crime, Clarke said. “It’s a bit like selling a car today without a seat belt."