[iwar] [fc:Lawmakers.Briefed.on.Buggy.Code]

From: Fred Cohen (fc@all.net)
Date: 2001-11-16 06:05:25


Return-Path: <sentto-279987-3898-1005919475-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Fri, 16 Nov 2001 06:06:08 -0800 (PST)
Received: (qmail 24658 invoked by uid 510); 16 Nov 2001 14:03:21 -0000
Received: from n1.groups.yahoo.com (216.115.96.51) by all.net with SMTP; 16 Nov 2001 14:03:21 -0000
X-eGroups-Return: sentto-279987-3898-1005919475-fc=all.net@returns.groups.yahoo.com
Received: from [10.1.1.224] by n1.groups.yahoo.com with NNFMP; 16 Nov 2001 14:04:35 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_0_1); 16 Nov 2001 14:04:35 -0000
Received: (qmail 11603 invoked from network); 16 Nov 2001 14:04:34 -0000
Received: from unknown (216.115.97.171) by m6.grp.snv.yahoo.com with QMQP; 16 Nov 2001 14:04:34 -0000
Received: from unknown (HELO red.all.net) (65.0.156.78) by mta3.grp.snv.yahoo.com with SMTP; 16 Nov 2001 14:04:34 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAGE5P230240 for iwar@onelist.com; Fri, 16 Nov 2001 06:05:25 -0800
Message-Id: <200111161405.fAGE5P230240@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Fri, 16 Nov 2001 06:05:25 -0800 (PST)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Lawmakers.Briefed.on.Buggy.Code]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Lawmakers Briefed on Buggy Code
Tech industry leaders urge neophyte subcommittee to support cyber security
FOIA and antitrust exemptions

By Will Rodger
Nov 15 2001 6:56PM PT

WASHINGTON -- A House subcommittee better known for its privacy concerns
took up the issue of computer security Thursday, signaling a sudden interest
in a topic once confined to more obscure reaches of the congressional
committee system.

Cliff Stearns, R-Fla., chairman of the House Energy and Commerce Committee's
Commerce, Trade and Consumer Protection Subcommittee, said insecure systems
are nothing new. But the lessons of Sept. 11 have changed the old ways of
thinking on Capitol Hill.

"Terrorists and their recruits also have grown up in the digital age and
thus most probably possess the technical skills to undertake concerted and
effective cyber terror attacks," Stearns said. "Cyber terrorism can
potentially engender greater pain and tragedy."

But panelists seemed in no mood to prognosticate future disasters; Indeed,
the idea that hackers could cause major damage to the nation remains
controversial, since no such attack has ever been launched.

Instead, witnesses called for more training and more efficient use of the
people assigned to do computer security.

Mary Ann Davidson, director of security product management at Oracle, took
an apparent swipe at rival Microsoft when she said secure systems would not
arise in a "monopoly environment." Still, she said, software developers
should create small, elite teams to address security issues before they
arise. That way programmers could scrutinize each other's work closely.

Witnesses were unanimous in supporting efforts to shield companies from
liability related to computer-security efforts.

For instance, the government has urged companies from nearly every sector of
the economy to share information about security threats and vulnerabilities
-- among themselves and with law enforcement.

But centers set up for information exchange have not been as effective as
they might be, panelists said; Some lawyers believe such data swapping could
be interpreted as violations of U.S. antitrust laws. Others fear competitors
or consumer groups could use the Freedom of Information Act to "out"
companies whose security was not up to snuff.

FOIA Exemption Sought
The panel was unanimous in calling for changes to antitrust statutes as well
as the Freedom of Information Act. They also wanted an exemption from the
Federal Advisory Committee Act, which could make some details of computer
insecurities public.

Microsoft Chief Security Officer Howard Schmidt asked the committee to
support legislation to do all those things.

Efforts to move such a bill out of the Senate Judiciary committee have
faltered in the face of opposition from committee chair Patrick Leahy, D-Vt.
Leahy and others maintain the changes could let companies sweep problems
under the rug.

"The argument against it is that, for some security vulnerabilities, we need
more exposure not less. It's the only way things are going to get fixed,"
said James Dempsey, senior counsel to the Center for Democracy and
Technology, after the hearing.

Since information-sharing centers cover all infrastructure, not just
computers, Dempsey said, implications could be grave when it comes to the
safety of nuclear plants or chemical factories. "The question of what did
they know and when did they know it can never be asked."

Subcommittee members moved cautiously through a field that was new to them.

Diana DeGette, D-Colo., asked panelists if they had discovered any new
vulnerabilities in the nation's networks since Sept. 11. Dave McCurdy, a
former Congressman and president of the Electronic Industries Alliance,
explained that security holes are a chronic, ongoing problem. He referred
subcommittee members to the Website of the Computer Emergency Response Team
at Carnegie-Mellon University for details.

Warren Axlerod, chief of computer security at the Pershing securities
clearinghouse in New York City, explained vulnerabilities are a function of
computer code itself, rather than efforts to subvert it from the outside.

For all the talk of terrorist crackers, Oracle's Davidson was unabashed in
her admiration for many of the world's "white hat" hackers. "As much as no
vendor likes hackers going after their product, we learn from them and we
build better product because of them," she said.

She even suggested that a proposed government jobs program could do some of
that work for the rest of society.

"It's not too far fetched to think that a 'cybercorps' of hackers can
measurably help secure the nation's critical infrastructure against the
hackers of a malicious foreign power," she said.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Universal Inkjet Refill Kit $29.95
Refill any ink cartridge for less!
Includes black and color ink.
http://us.click.yahoo.com/bAmslD/MkNDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST