<nettime> Computer (In)Security

[Steven Carlson <steve@isys.hu>]

Hi Nettimers,

It's been a while since I last posted at Nettime. I just saw Felix's piece
and decided to send in my own view on the Hotmail hack. 

This went out yesterday over Online Europe, so apologies to those who have
already seen it. 

Steven Carlson
Online Europe moderator



Computer (In)Security

The breaking news (as I write this piece) is that hackers have discovered
a security hole in Microsoft's Hotmail that allows you to read other
people's user registration info. This is a serious blow to Hotmail user's
privacy, and a PR embarrassment for Redmond. Hotmail is the leading free
email service, with some 40 million subscribers worldwide. 

On Monday afternoon (Aug 30) the reports of the Hotmail security hole
appeared on Slashdot.Org, a popular news and community site for hackers.
Shortly after that, the announcement drifted across the Nettime mailing
list. 

The reports describing the Hotmail hole also listed a web address users
could visit to try the hack. And you can be sure people did - thousands of
people. Who could resist the Shadenfreude of seeing an industry giant
humbled? That link was like a car accident at the side of the road,
compelling drivers to slow down for better view. 

And so my question for Online Europe: Can't we - as an industry - find a
better way of dealing with computer security issues? No matter if you're
Microsoft or a small web publisher, at some point security is going to
matter to your business. And as the Hotmail story illustrates, security is
a very haphazard affair on today's Net. 

The Hotmail Effect

The Hotmail security hole was only a potential problem as long as nobody
knew about it. The effect of the announcements was to encourage thousands
of people to take a peek behind the screens into Hotmail's user data. And
as news circulated, more and more took part, until what started as a bug
report became a worldwide news story; and a potential security problem
became a major breach of privacy. 

This is like alerting people to a potential fire hazard by setting the
building on fire. Effective? Sure. Ethical? Well ... 

The classic hacker response is that the publicity of a major hack
highlights the importance of security, and draws immediate public
attention to companies who are lax. And this is true.  Particularly in
Holland and German, hacker groups have played a positive, and largely
responsible role in publicizing the need for computer security. 

But in the present case of Hotmail, spreading news about the hack put at
risk the privacy of several ten million Hotmail users.  Many depend on
Hotmail and other services to mask their identity for economic reasons,
such as when looking for a new job. For some others, such as political
dissidents in Yugoslavia, China, Burma, and other hot spots, protecting
their identity may be a matter of life or death. 

By the time you read this, the Hotmail hack will probably be old news.
Microsoft has taken action to fix the problem, and attention has moved on,
because in today's super-alert news world nothing is duller than
yesterday's headline. But even if this security problem is fixed, such
problems can and will happen in future. 

Who Wants to Solve This Problem? 

There must be a better way to deal with computer security. I'd like to
think that human beings can learn to behave more ethically, but I'm not
prepared to wait. Laws could be passed, but this is also a longer-term
solution. I want something that will work now. 

It seems to me the solution needs to come from those with the biggest
motivation to fix the problem - ie the software industry and major web
publishers. Particularly as commerce moves to the web, security fears can
cost the big players billions of dollars in lost revenue, not to mention
legal expenses. 

The solution? Software manufactures and web publishers should offer
financial rewards to those who find and report bugs.  Netscape pioneered
this concept, and to good effect, but few of the major players seem to be
taking it seriously. 

At present the people who find the security holes can enjoy three kinds of
rewards: 

  1 - Satisfaction from gaining technical knowledge
  2 - Recognition from friends or the media
  3 - Financial gain from theft, blackmail or industrial espionage

I'm suggesting the industry coopt the 'evil hackers' by offering a bounty
for each and every security flaw discovered. In my experience, the people
with knowledge sufficient to figure out these holes are motivated mostly
by knowledge and recognition.  But anyway, we all need to make a living,
so why not it to uncover and report security holes in software or
web-based services? 

As long as human beings write software there are bound to be bugs, and
some of those bugs will have security implications.  Moreover, as long as
there are security holes, there will be those that take satisfication in
finding them. You can't fight human nature, so you might as well use it to
your advantage. 

Or is there another way?
<mailto:steve@isys.hu>

For further info about the Hotmail security hole:
<http://www.zdnet.com/zdnn/stories/news/0,4586,2323960,00.html>


______________
Steven Carlson, Online Europe moderator
Online Europe brings together the European net industry.
Subscribe by mailing: <mailto:europe-on@isys.hu>

#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: nettime@bbs.thing.net