There are some worthy efforts that are doomed to failure from the beginning. Unfortunately some of these are rather serious and we would be better off if something could be done. One of the latest efforts is the formation of a group which will set down rules to control how information about security flaws is released to the public.
This proposal has been formulated by a group of software companies and a number of security specialists. Not surprisingly, given the almost daily news of yet another breach of security in Windows, SQL Server, Internet Explorer, etc., Microsoft are involved. But Windows is not the only target for hackers and so Linux specialist SCO (formerly Caldera) is another interesting member. Equally it is not always the system software that is vulnerable to security flaws. Database Management Systems and many applications by-pass operating system functions and thus may be vulnerable. Hence another notable member company is Oracle. The other members of the group are security specialists such as ISS, Symantec and Birdview.
One of the first things to note is the companies that are not involved, at least for the time being. Where are IBM, Sun and HP? And where are the communication equipment vendors such as Cisco? The fact is that they are not exposed to the problems of hacking that apply to PC based systems. Mainframes are in fact inherently more secure than PCs and thus don’t attract the attention of the hackers to the same degree. This of course is why SCO are involved and why the rest of the Linux and other Open Source Software suppliers should also join. Microsoft is the obvious target because the arrogance, excessive profiteering and poor quality of their products make them objectionable to the typical hacker. These same people are also Windows experts. It is fairly obvious that as Linux and other OSS products, Apache for instance, gain in popularity, they will also attract the hackers. These hackers know little about bigger Unix or mainframe systems and don’t have the same resources and skills to attack them.
The flaw with the above argument is that the PC bias applies only to the hordes of irritating nerds who think that it is fun to spoil other people’s property. But Cyber terrorism is surely far more serious than Internet hacking. Terrorists are heavily funded and will be able to buy the resources and skills to hack into any system. Thus while there are far fewer of them they can be very much more dangerous. It follows that the Government agencies should also be involved with any security effort.
Back to the new group. They make no claims to be a policing organisation, with no attempt to be punitive. There objective is to lay down guidelines for how security problems are exposed to the public. At the moment there is a big gap between the software suppliers and the security consultancies. The former are usually all too aware of problems with their software and in general should welcome any help in identifying them. The problem lies in the timing of any public announcements. The software houses would like some time to work on a problem so as to be able to make a fix available as soon as the exposure is made. The security consultancies on the other hand have a different agenda, each trying to outdo the others, which means that they make as much noise in the press as they can, as soon as they can. They would also argue a legitimate case that users have a right to be informed as soon as possible, fore warned being fore armed!
It is easy to see both sides of this argument and that is why nothing definitive will be achieved. The press is always receptive to any news worthy item and while we all get fed up with the identification of yet another virus, it is still good newspaper copy! Thus there is always a market for a hacking story and as the members of the new group come to some compromise, there will always be someone outside the group willing to grab the headlines.
It is a shame that the Internet authorities wouldn’t tackle this thorny problem and that as a result it has been left to the commercial parties involved. But at least they own up to the problem and are trying to do something. Good luck to them, but it is a difficult task they face.
Martin Healey, pioneer development Intel-based computers en c/s-architecture. Director of a number of IT specialist companies and an Emeritus Professor of the University of Wales.
