http://www.wired.com/news/conflict/0,2100,49095,00.html Associated Press 3:05 p.m. Dec. 12, 2001 PST WASHINGTON -- One of the Internet's founders said Wednesday there were important weaknesses in the Bush administration's plans to build an ultra-secure government network and to encourage companies to make computers safer for consumers. Vinton G. Cerf, widely recognized as a "father of the Internet" for co-inventing one of its communications technologies, warned against a White House proposal to have software companies automatically repair their products whenever new vulnerabilities were discovered. Last week, the president's top computer security adviser complained to some technology executives that consumers and businesses routinely fail to install software fixes known as "patches" even as vendors make them freely available. Richard Clarke said it was "not beyond the wit of this industry to force patches down" to users. "Some people have suggested we push out patches a lot more," Cerf told technology executives and government officials at a conference Wednesday. "It's an attractive idea, but I don't know how we go about making it work." Some of the Internet's most-damaging attacks, including those from the virus-like Code Red and Nimda programs, exploited flaws in software from Microsoft that had been discovered weeks or months earlier. Although only computers where users did not install the patches were attacked, resulting congestion affected parts of the Internet more broadly. Cerf, senior vice president of Internet architecture and technology at WorldCom, said software vendors could not be expected to develop patches that can be installed safely across the array of the world's network configurations. Others also have warned that a vendor's poorly written patch could disrupt a company's operations unless it were tested extensively to be sure it was compatible with all the company's other software. "There are interesting questions about doing it automatically," said Cerf, who spoke at a computer-security conference organized by the Information Technology Association of America and Computer Sciences Corp. Cerf said software companies need to do a better job ensuring their products are secure and cannot be used as weapons to attack others electronically on the Internet. "The people who build the software don't seem to be paying attention to how these things can be abused," Cerf said. Cerf expressed caution about another proposal endorsed by the White House to build an ultra-secure, private computer network for government agencies and their key partners, called "Govnet." Clarke proposed the idea a year ago at a security conference at Microsoft's headquarters, then formally announced the project eight weeks ago. Unlike traditional U.S. computer networks, Govnet would be physically separate from the Internet with no way to exchange e-mails or files with outsiders to maintain security and protect it from hackers, viruses and other online threats. Cerf noted that networks are most useful, though admittedly more vulnerable, when they are connected to other public networks of computers. Cerf predicted that Govnet users would be tempted to illegally connect laptops or other computers for their convenience, or would transfer information on floppy disks between Govnet and public computers. Although some U.S. classified computer networks are physically separate from the Internet and other public networks, viruses and other malicious software is occasionally discovered on them. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 04:28:11 PST