Silence the best security policy

Well-meaning hackers are creating an army of "script kiddies" by making security holes public, says a speaker at the Black Hat Security Conference
Written by Robert Lemos, Contributor

Long controversial, the policy of disclosing software vulnerabilities to the public was subject to open attack in a Wednesday keynote at the Black Hat Security Conference.

Marcus Ranum, chief technology officer for intrusion detection software maker Network Flight Recorder, used hard language to say that security can't be improved unless "grey hat" hackers stop disclosing security holes to the public and stop creating tools for so-called "script kiddies" to exploit the holes. "Full disclosure is creating armies and armies of script kiddies," said Ranum, who called the creators of hacking tools "weapons dealers" who aren't really concerned with security.

"Distributing these tools is not helping," he said.

Hacking tools have caused much of the chaos on the Internet in recent years.

The February denial-of-service attacks against eight major Internet sites -- among them Yahoo!, eBay and ZDNet -- used tools created by a grey hat hacker in Germany known as Mixter.

The Melissa virus and the ILOVEYOU worm plagiarised much of their innards from other viruses that came before. And Web vandals tend to use only a handful of exploits to compromise vulnerable sites just enough to post digital graffiti.

"We are creating hordes and hordes of script kiddies," Ranum said. "They are like cockroaches. There are so many script kiddies attacking our networks that it's hard to find the real serious attackers" because of all the chaotic noise.

The main problem is that hacking has become, to some degree, socially acceptable. "Every single conference out there that is supposed to be teaching the network community about security is at the same time pandering to the hacking community," Ranum said.

"It is not a technical problem," he added. "It's a social problem. We need to come down hard and fast on these people."

Moreover, in the burgeoning security software industry, poking holes in a rival's product is good business, Ranum said.

Media coverage of a company's seemingly tech-savvy ability to find security holes can be a boon, while showing weaknesses in other's products can be equally lucrative.

"A lot of the vulnerabilities that are being disclosed are researched for the sole purpose of disclosing them," he said. "Someone who releases a harmful program through a press release has a different agenda than to help you."

A large portion of security experts go home and write tools at night for script kiddies. That's set to change, Ranum said.

Over the next few years, society's tolerance of hackers will lessen once hacking is regarded as "non-ideological terrorism", he said. As home users increasingly find themselves the target of hackers, there will be less and less patience with break-ins. "In the next five years, we are going to move to a counterterrorism model," he said. "It will turn into a witch hunt unless we stop the script kiddies today."

Ranum's message to the creators of tools: "Why don't you do something useful?"

Take me to the Summer of Hacking Special

Take me to Hackers

What do you think? Tell the Mailroom. And read what others have said.

Editorial standards