[ISN] Cerf Disses Bush's Patch Plan

From: InfoSec News (isnat_private)
Date: Thu Dec 13 2001 - 00:39:11 PST

  • Next message: InfoSec News: "Re: [ISN] Re: SANS Top 20 Vulnerability List Updated"

    http://www.wired.com/news/conflict/0,2100,49095,00.html
    
    Associated Press 
    3:05 p.m. Dec. 12, 2001 PST  
    
    WASHINGTON -- One of the Internet's founders said Wednesday there were
    important weaknesses in the Bush administration's plans to build an
    ultra-secure government network and to encourage companies to make
    computers safer for consumers.
    
    Vinton G. Cerf, widely recognized as a "father of the Internet" for
    co-inventing one of its communications technologies, warned against a
    White House proposal to have software companies automatically repair
    their products whenever new vulnerabilities were discovered.
    
    Last week, the president's top computer security adviser complained to
    some technology executives that consumers and businesses routinely
    fail to install software fixes known as "patches" even as vendors make
    them freely available. Richard Clarke said it was "not beyond the wit
    of this industry to force patches down" to users.
     
    "Some people have suggested we push out patches a lot more," Cerf told
    technology executives and government officials at a conference
    Wednesday. "It's an attractive idea, but I don't know how we go about
    making it work."
    
    Some of the Internet's most-damaging attacks, including those from the
    virus-like Code Red and Nimda programs, exploited flaws in software
    from Microsoft that had been discovered weeks or months earlier.  
    Although only computers where users did not install the patches were
    attacked, resulting congestion affected parts of the Internet more
    broadly.
    
    Cerf, senior vice president of Internet architecture and technology at
    WorldCom, said software vendors could not be expected to develop
    patches that can be installed safely across the array of the world's
    network configurations. Others also have warned that a vendor's poorly
    written patch could disrupt a company's operations unless it were
    tested extensively to be sure it was compatible with all the company's
    other software.
    
    "There are interesting questions about doing it automatically," said
    Cerf, who spoke at a computer-security conference organized by the
    Information Technology Association of America and Computer Sciences
    Corp.
    
    Cerf said software companies need to do a better job ensuring their
    products are secure and cannot be used as weapons to attack others
    electronically on the Internet. "The people who build the software
    don't seem to be paying attention to how these things can be abused,"  
    Cerf said.
    
    Cerf expressed caution about another proposal endorsed by the White
    House to build an ultra-secure, private computer network for
    government agencies and their key partners, called "Govnet."
    
    Clarke proposed the idea a year ago at a security conference at
    Microsoft's headquarters, then formally announced the project eight
    weeks ago.
    
    Unlike traditional U.S. computer networks, Govnet would be physically
    separate from the Internet with no way to exchange e-mails or files
    with outsiders to maintain security and protect it from hackers,
    viruses and other online threats.
    
    Cerf noted that networks are most useful, though admittedly more
    vulnerable, when they are connected to other public networks of
    computers. Cerf predicted that Govnet users would be tempted to
    illegally connect laptops or other computers for their convenience, or
    would transfer information on floppy disks between Govnet and public
    computers.
    
    Although some U.S. classified computer networks are physically
    separate from the Internet and other public networks, viruses and
    other malicious software is occasionally discovered on them.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 04:28:11 PST