Suche innerhalb des Archivs / Search the Archive All words Any words
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[infowar.de] US-Cybersicherheits-Zar Clarke zu Markt vs. Hersteller-Verpflichtungen

Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------

"You're basically letting them bully us into keeping vulnerabilities
secret," the questioner said. "Shouldn't there be some legislation on
this?" 
"Personally, I think the answer to that is yes," Clarke responded. "We
need to have everyone in this country who's an IT expert looking for
vulnerabilities." 
RB


http://www.eweek.com/article2/0,3959,639103,00.asp

October 17, 2002
Clarke Solicits Cyber-Security Input at MIT

By  Dennis Fisher 

CAMBRIDGE, Mass.?If Wednesday night's town hall meeting here was any
indication, Richard Clarke is getting just what he asked for. 

After releasing a draft of the National Strategy to Secure Cyberspace
for comment in September, Clarke has embarked on a cross-country tour,
soliciting feedback on the document and stumping for passage of the bill
that would create the Department of Homeland Security. During his most
recent stop, at the Massachusetts Institute of Technology, audience
members gave Clarke a wide range of suggestions for the strategy, with
many of them centering on the theme of vendor responsibility for
insecure software. 

Many people asked Clarke, chairman of the President's Critical
Infrastructure Protection Board, to consider recommending some form of
regulation for the software industry as a way to spur vendors into
writing more secure applications. Clarke resisted the idea, as he has in
the past, saying that he'd rather rely on market forces and customer
demand to weed out the careless vendors. 

One area where Clarke agreed that new legislation might be in order is
security research. One audience member complained that the Digital
Millennium Copyright Act and anti-hacking laws are preventing legitimate
security researchers from publishing information on new vulnerabilities. 

"You're basically letting them bully us into keeping vulnerabilities
secret," the questioner said. "Shouldn't there be some legislation on
this?" 

"Personally, I think the answer to that is yes," Clarke responded. "We
need to have everyone in this country who's an IT expert looking for
vulnerabilities." 

Jeff Schiller, the event moderator, had another suggestion. 

"We also need vendors who when they put out critical security fixes
don't attach a new license agreement," said Schiller, MIT's network
manager and head of the Internet Engineering Task Force's security
section. The comment, which refers to an agreement that Microsoft Corp.
included with a service pack it released earlier this year, drew a big
round of applause from the audience. 

In response to several comments about the apathy that many big software
vendors show toward security issues, Clarke urged customers and
researchers to bring their concerns to him if they aren't satisfied with
the vendor's answer. He also pointed a finger at the software makers for
not making smart choices in configuring their products. 

"People have been shipping software with totally needless, stupid
functionality turned on," he said. 

Clarke, who served on the National Security Council during the Clinton
administration, likened the current attitude toward security to the way
some Washington officials used to feel about the potential for terrorism
in the United States: it will never happen to us. 

"Somebody, someday is going to hurt our economy if we don't start
dealing with our vulnerabilities," said Clarke.

---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.